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Welcome to another issue of (IN)SECURE, packed with a variety of security articles for all levels of 
knowledge. With pressure related to PCI compliance growing as the year progresses, we offer some 
insight into the topic. We have an interview with Jeremiah Grossman from WhiteHat Security who will give 
you some interesting details when it comes to web application security. There's also material about 
keyloggers, Network Access Control, Windows security, and much more. 

In collaboration with Addison-Wesley and Cisco Press, we have a book giveaway where 5 lucky readers 
will get some free knowledge. What are you waiting for? 

Mirko Zorz 
Chief Editor 
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Corporate security news 



Take care of spam on your phpBB forum with bbAntiSpam 



General Admin 
: .1 

Configuration 
Mass Email 
Restore Database 
Smilies 

! : 



Textual Confirmation 

Separate question blocks by an empty line. In each block, the first line is the 
question, and the rest lines are the correct answers. The question string must be valid 
HTML. The answers are case -in sensitive. 



bbAntiSpam released bbAntiSpam Advanced 
Textual Confirmation 1.0.2. This PHP script will 
help users build rock-solid protection against 
spam messages for their phpBB, vBulletin, 
WordPress, Wiki, or a guestbook. The bbAn- 
tiSpam script works transparently between visi- 
tors and a PHP application. When some one at- 
tempts to submit data, the script comes to life 
and starts the confirmation process. It will select a random question from its database and wait for 
the visitor to give the correct answer. Once it's provided, the request of the visitor is forwarded to 
the web application, (www.bbantispam.com) 
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Word Censors 
Group Admin 



fti e you human V 
yes 



Say hello 

hello 



Requirements for the CISSP certificate will be raised 

(ISC)2 announced its board of directors has approved new professional experi- 
ence and endorsement requirements for the Certified Information Systems Secu- 
rity Professional (CISSP) certification. Effective 1 October 2007, the minimum ex- 
perience requirement for certification will be five years of relevant work experience 



mm 



in two or more of the 10 domains of the CISSP CBK, a taxonomy of information security topics 
recognized by professionals worldwide, or four years of work experience with an applicable col- 
lege degree or a credential from the (ISC)2-approved list. Currently, CISSP candidates are re- 
quired to have four years of work experience or three years of experience with an applicable col- 
lege degree or a credential from the (ISC)2-approved list, in one or more of the 10 domains of the 
CISSP CBK. (www.isc2.org) 
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First geographical load balancing SSL VPN 




AEP Networks announced the AEP Netilla Security Platform 
(NSP) Release 5.6, in which the standard load-balancing configu- 
rations now enable geographical load balancing, providing load 
sharing and fail-over between independent NSP clusters in geo- 
graphically diverse data centers. It is configurable by the enter- 
prise as active-active for organizations self-insuring against a 
failure in their owned data centers or as active-passive for customers using a standby/backup 
disaster recovery facility service, such as those provided by IBM or Sungard. 
(www. ae p n etwo rks . co m ) 



SonicWALL Network Security Appliance E7500 unveiled 

SonicWALL unveiled the SonicWALL Network Security Ap- 
pliance (NSA) E7500, a new gateway security appliance that 
makes deep packet inspection security productive and easy _^ 

to manage in larger network deployments. Designed to en- Ef ™PP v fm p.»», ■llifi B Si/., . 
able the highest level of UTM performance at its price point, Network security Appliance 

the NSA E7500 is intended for campus networks, distributed 
environments and data centers. The NSA E7500 features 

SonicWALL's characteristic ease of management combined with low cost of ownership and a rich 
set of inbound and outbound network control capabilities, (www.sonicwall.com) 



Nearly 40 percent of large organizations don't monitor databases 
for suspicious activity 



Application Security announced the results of a Ponemon Institute survey 
APPLICATION underscoring the serious challenges organizations face in securing sensi- 
MHMiJ l\ 1 1V1 1 J l*P tive data. With more than 150 million data records exposed in the past two 

years, the survey also highlights an organizational disconnect between 
the realization of the threat and the urgency in addressing it. Forty percent said their organiza- 
tions don't monitor their databases for suspicious activity, or don't know if such monitoring occurs. 
Notably, more than half of these organizations have 500 or more databases - and the number of 
databases is growing, (www.appsecinc.com) 



OASIS 4 



New Digital Signature Services OASIS Standard 

The members of the the international standards consortium OASIS 
have approved Digital Signature Services (DSS) version 1 .0 as an 
OASIS Standard, a status that signifies the highest level of ratifica- 
tion. DSS defines an XML interface to process digital signatures for 
Web services and other applications, enabling the sharing of digital 

signature creation, verification and other associated services, without complex client software and 
configuration. DSS describes two XML-based request/response protocols, one for signatures and 
a second for verification. Using these protocols, a client can send documents to a server and re- 
ceive back a signature on the documents; or send documents and a signature to a server and re- 
ceive back an answer on whether the signature verifies the documents, (www.oasis-open.org) 
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GFI releases software suite for PCI DSS compliance 



GFI Software announced the release of the GFI PCI Suite, a package 

I^W^ aimed at helping companies meet the strict requirements and tight dead- 

■ ■ I lines imposed by the Payment Card Industry Data Security Standards 
^0 I (PCI DSS) and comply with the majority of automated processes required 
for compliance. The GFI PCI Suite provides a centralized management 
console through which systems administrators can deploy the PCI DSS enhanced versions of GFI 
EventsManager and GFI LANguard N.S.S. - two solutions that are vital to network security and 
essential to meet the directives imposed by PCI DSS. GFI EventsManager boosts PCI DSS com- 
pliancy efforts by alerting administrators on key events occurring on the network while GFI LAN- 
guard N.S.S. allows IT professionals to proactively identify network security weaknesses and fix 
them before these are exploited, (www.gfi.com) 



New Symantec Foundation IT Risk Assessment service 



Symantec announced Symantec Foundation IT Risk As- 
sessment, a comprehensive consulting service designed to 
provide customers with an overview of their current IT risk 
exposure and guidance on remediation. The service helps 
customers take the first step toward a comprehensive IT 
Risk Management program. The service identifies, catego- 
rizes and prioritizes current IT risks so investments can be made in projects that manage IT risk, 
cost, and performance for maximum business returns, (www.symantec.com) 



^ Symantec 



One-time passcodes on mobile devices with SafeWord MobilePass 

Secure Computing released SafeWord MobilePass, a new software 
authenticator that allows a user access to Virtual Private Networks (VPN), 
Citrix, Outlook and a number of other applications through one-time pass- 
codes generated on their personal mobile device or laptop PC. Mobile- 
Pass provides convenience as well as enhanced security through proven, 
two-factor authentication, establishing proof-positive identity for all users 
accessing trusted corporate and consumer applications. Additionally, 
SafeWord MobilePass helps to increase productivity at a low total cost of ownership. 
(www.securecomputing.com) 




New software programmer exams for application security certification 

The SANS Institute launched the first GIAC Secure Software Programmer 
(GSSP) exams. The inaugural exams covering C and Java/Java EE will be 
held August 14, 2007, in Washington, D.C. "The lack of trustworthy standards 
and certifications has been a challenge for software buyers and software de- 
velopers," said Hartmut Raffler, head of Technology Division Information and 
Communication at Siemens Corporate Technology. "Secure programming skills are essential for 
building software that can be trusted. SANS' willingness to offer this exam as part of a compre- 
hensive secure coding improvement strategy is exciting and will help both buyers and sellers of 
software." (www.sans.org) 
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If you have been reading through (IN)SECURE Magazine or its sister web site 
Help Net Security, you have seen that endpoint security is one of the hottest 
information security topics. With all the new portable devices, ranging from 2 
GB USB key chains, to U3 sticks or even the new Apple media darling 
iPhone, organizations are seeing more and more potential problems 
surrounding them. 

You cannot strip search your employees for any eligible portable device, but 
you can enforce strict company policies with a tool like DeviceWall 
(www.devicewall.com). This application gives you an opportunity to centrally 
manage and control the usage of any kind of portable media on computers 
located on your network. 



Installation computer a MSDE instance that will act as an 



have one active yet, just choose the "Typical 
type of setup. This way, after DeviceWall is 
installed, the setup wizard will place on your 



The DeviceWall installation process is a typi- 
cal one. After setting up your registration de- 
tails, you have the opportunity of choosing 



one of two setup options. The application 
needs an SQL installation, so if you don't 



SQL server. As you probably figured out, the 
SQL server will be used for centralized log- 
ging of events. If in the past you used some of 
the crypto products such as OpenSSL or 
PGP, the final act of the installation will be a 
familiar one - you will need to dynamically 
move the pointer of your mouse to generate a 
random key later used by the software. 
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The DeviceWall control center interface 



During the installation of the product on my 
computer running Windows Vista, I came 
across a warning message related to the 
MSDE SQL runtime. While at first I thought 
that this is some kind of a bug, DeviceWall 
promptly gave a message to consult with the 



Release.txt which came in the installation 
package. A warning message was about the 
file msxml2.dll, which was missing but was 
available as a Hot-fix from the Microsoft 
Knowledge Base Article 823490. 



Policy Wizard 

Device Access Configuration 

This page allows you to set device access for all users, 




Initial device settings: No access _ Current >'Stj Read/Write 
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The link to the article is available in the men- 
tioned text file and the good thing is that the 
installation doesn't fail because of this. 

You will just need to install a Hot-fix before 
any device connection data can be success- 
fully added to the Audit Log Database. 



Usage and functionality 

A couple of minutes after I started the installa- 
tion, the setup was finalized and I must say 
that I found the graphical user interface very 
appealing. The application window is easy to 
apprehend and has a bit larger toolbar but- 
tons than I usually stumble upon. 



B D«vi«'.Vill? Control C*ntfr 
■ File Vjevi Tools Help 
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Setting up a default policy 



DeviceWall works on the client/server way. 
You install the application control center on 
the main computer and easily deploy clients 
all over the network. 

Naturally, you don't need to manually go to 
every single computer (although strangely 
enough, not all companies switched from this 
"old school" way of doing things), as Device- 
Wall offers some typical remote installation 
possibilities. 

In search for client computers, the administra- 
tor can browse a domain or Active Directory, 
import a list file, enter a computer name, but I 
found the "specify IP range" the best option 



for a larger network such as the one I tested 
at work. 

DeviceWall's inner workings are based on a 
policy which can be setup on different ways. 
While installing the application you have an 
option to setup the default policy, but it is rec- 
ommended than you do it directly from the 
application after the install. 

DeviceWall doesn't log just the policy viola- 
tions, so for the companies that don't have an 
already defined security policy related to port- 
able devices, there is a neat way of setting up 
an "all open" policy to monitor your network. 
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Customizing the policy 



This way, in a week or so, you could see what devices, and therefore can react to the actual 
actually happens with your users and their happenings in your network. 



Policy Update and Client Status 



Domain to browse: (Building list...} 



HE3H 



■WORKGROUP 

Check the computers to be updated then click [Update >] to proceed. 
Click [Search...] to search for computers already running the Client Service. 



Name / 

mm 



TEST8F59 



Client Version 



4.623 



Policy Up-To-Date 



Check All 



Uncheck 



Search. 



Export. 



.Advanced. 



Update := 



Cancel 



Updating policy on a test computer through the control center 
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The default policy provides you three different 
setups - deny all, allow all or to create a cus- 
tom one. 

The good thing is that the software comes 
with a list of grouped classes, such as storage 
and imaging devices, portable devices, com- 
munication ports etc, so you won't need much 



time to get into business and start Device- 
Wall's monitoring of your users. Each of these 
classes are divided into specific group of de- 
vices, so you can easily setup a custom allow/ 
deny rules for each of them. Of course, you 
can also set permissions based on users and 
groups. 



Client Setting: 



F71 Enable policy enforcement pop -up 



Administrator message (max 200 chars): 



This message is generated by DeviceWall.; it is not an error on your PC. 
Organization Name (max -40 chars): 



INSECURE Mag 

F71 Display pop -up when a user logs in 
F71 Allow user to disable login pop -up 

Policy Up-To-Oate Check Interval (Minutes): 



[2] Enable Client 'Please Restart' pop -up 
F71 Enable Device Connection Logging 
[7] Enable File Access Data Logging 
F71 Enable Desktop Shortcut 



Set Client Removal Password 



360 



OK 



Cancel 



Creating custom client settings 



While setting up the client you can describe 
the alert the user will get after trying some- 
thing that is forbidden, as well as create a 
time interval in which the client will automati- 
cally contact the server for possibly updated 
policy. You can do this manually from the 
command center, but it is of course much bet- 
ter and flexible to do it automatically. As you 
would expect, the end users won't have any 
possibility of changing, editing or removing 
the client portion of DeviceWall on their com- 
puters. 

One of the things I really liked was a piece of 
functionality that comes around while setting 



the custom policy. Let's say that your com- 
pany has a standard equipment given to all 
the employees, such as a typical USB mem- 
ory stick or a specific PDA device needed for 
the everyday work experience. For instance if 
you would block all USB storage devices, the 
one needed by the user would also get in the 
"black zone". 

DeviceWall offers administrators the possibil- 
ity to define and setup a specific device that 
can be identified as "safe" and therefore can 
be used even if the company policy denies 
the same type of hardware. 
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_!_ DeviceVVall'!; Security Alert 



DeviceWall® has blocked an unauthorized device, 
Click here fcr details, 

This message is generated by DeviceVVall; it is not an 
error on your PC. If you have a legitimate need to use a 
restricted device, please contact your line manager, 



A Format Disc 



<J DeviceWalf® Sec... 



Error and alert after starting a "forbidden" device 



Besides the few nice additional tools I will 
mention afterwards, the last part of this soft- 
ware's functionality is related to auditing the 
logs generated by the device usage through- 
out the network computers. There is a sepa- 



rate portion of the product which offers differ- 
ent types of graphical reports, which you can 
redraw based on time frames, device classes, 
as well as different graphical presentation op- 
tions. 



D evi c eWa II S Policy for INSECURE M a g 

DeviceVVall® security policy in operation for user Administrator. 



You currently have unrestricted access to all devices, 
Your usage of devices is being monitored. 



\~ Do not display a policy enforcement pop -up when I next log in. 

Note: The pop -up will be re -enabled if the device usage policy changes, 



OK 



Alert that DeviceVVall is present on the client computer 



If you're running your control center on a 
computer with a screen resolution lower than 
1024x768, the application will give you an er- 
ror saying it needs at least 1024x768 to draw 
graphs. 

I know that chances of installing this kind of a 
management platform on a system with a 
resolution such as 800x600 are slim, but this 
can also appear on some widescreen note- 
books. 



I found a quick workaround for this. Just go to 
your system settings and switch to a resolu- 
tion needed by the application. Your display 
will look shoddy, but just use this new resolu- 
tion until you click the Audit Log Graphical 
Display icon. 

As soon as the Audit Log opens, switch back 
to your old resolution and the log presentation 
option will work just fine. 
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- Audit Log Graphical Report 



External Device Connection Over Time 



Include device classes: 
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■ Blocked WiFi 
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Clipboard Copy 
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Export... 



Options you can chose while drawing reports 



The specific events can also be presented 
through the DeviceWall main interface, where 
a user can browse through per device or per 
user access details such as files and loca- 
tions, as well as check out a file access sum- 
mary with all the top file extensions. For ex- 
ample, the Dynamic Activity Monitor applet 



can be installed to client computers to dy- 
namically check out all the events logged from 
this location. This allows you to check a spe- 
cific (potentially problematic) computer with- 
out accessing the control center on the main 
server. 



T em p o ra ry Ac c e: : V.'iia rd 

Device Qass Selection 

Select up to 3 device classes, or check revoke to cancel existing codes. 
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F71 Allow access to all classes 



^\ Revoke Existing Temporary Access 




Using Temporary Access Wizard 
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The Temporary Access Tool is another inter- 
esting addition through which an administrator 
can temporarily give users access to specific 
devices. The time frame can be specified, or if 



needed, a 16-digit key can be dispatched to 
the user that can be used for unlocking some 
of the resources. 



D evi c eWa 1 1 J. T em p o ra ry Ac c e: : 



To obtain temporary access to a Device Class, 
call your Network Administrator and quote the 
code displayed below: 



d 



511D-DF2C-B8F0-087B 



Enter the code the Administrator gives you in 
the fields below : 



OK 



Cancel 



I will conclude this article on DeviceWall by 
mentioning a nice, but effectively not so im- 



portant tool, that offers users possibility to en- 
crypt data on recognized USB disks. 



Encryption Setting: 
F71 Enable Encryption 
Encryption Key Model: 

Encryption Cipher: 



Set Password Parameters. 



Reset Global Key. 



Backup Global Key. 



® Global Key Model 
G User Key Model 




OK 



Cancel 



Final thoughts 

DeviceWall is really an excellent application. 
In a nice looking GUI, it sports quality policy 
deployment methods, powerful event logging/ 



analyzing options and strong policy enforce- 
ment and alerting actions. Bottom line - it 
works flawlessly and will definitely be an ex- 
tensive endpoint security mechanism for your 
network. 



Mark Woodstone is a security consultant that works for a large Internet Presence Provider (IPP) that serves 
about 4000 clients from 30 countries worldwide. 
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Enterprise grade remote access 

By Vladimir Jirasek 



I started with a basic solution for remote access to the network in my previ- 
ous article published in (IN)SECURE volume 11. The solution was based on 
certificates and used two-factor authentication in its simplest mode - some- 
thing you know (certificate pass-phrase) and something you have (a certifi- 
cate). 

However there was one big issue with the solution - manageability and scal- 
ability. We cannot really expect that an administrator, either security or net- 
work one, is going to manually generate certificates and then install them 
into hundreds or thousands of computers. That is why the solution was not 
really ready for enterprises with large number of computers and users. That 
is why we need to look for enterprise grade solutions and this article is going 
to show some of them, putting emphasis on authentication and authorization. 



When choosing a solution for remote access, 
these questions should be answered: 

• what is an acceptable level of security 

• how many users will be enrolled for the serv- 
ice in total and using in peak times 

• what applications need to be accessed by 
remote users. 

The level of security is rather general term 
and should include authentication and 
authorization of users, access control, logging 
and monitoring of security events, enforcing 



end point security, level of encryption, reset- 
ting access, if a password is forgotten, etc. 

Number of users will define the integration 
necessary with enterprise identity and access 
management system, scaling of the remote 
access platform and necessary bandwidth to 
serve users in peak times. 

Application will define the type of the remote 
access system, such as full IP or SSL based 
systems. I will focus, obviously on security 
aspects covering different types of remote ac- 
cess systems. 
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Authentication and authorization 

This is by far the first question anyone asks 
about the remote access system. We all hear 
about dual factor authentication, so what is it 
and, most importantly, do we actually need 
the dual factor authentication? And the an- 
swer is. ..YES 

• it is more secure and 

• it is possibly a regulatory requirement for 
your company! It is more secure by requiring 
users to present more than one piece of evi- 
dence to prove identity. 

There are three factors of authentication: 

• knowledge (something you know) - the 
most common and probably the most in- 
secure method of all three. Knowledge can be 
easily transferred (would you not tell the 
password under the life threat?). Passwords 
and pass-phrases are typical examples and 
users have proven track of not selecting 
passwords strong enough. This can lead to 
dictionary or brute force attacks. 

• possession (something you have) - you 
must have something to authenticate. This 
can be something like a certificate, a mobile 
phone (or better a SIM card), a RAS token, a 
smart card, etc. On its own, this is almost as 
(in)secure as the first one, purely because it 
can be easily transferred and lost. Although it 
provides better protection against brute force 
and dictionary attacks. 

• being (someone you are) - the best method 
of all that uses your body (or parts of) to prove 
your identity to the system. 

Several parts of body can be used like: 

• iris - reading iris pattern, little more ac- 
cepted than retina scan 

• retina - some people might see this as little 
too intrusive 

• palm - scans characteristics of the palm, 
there are some hygiene issues 

• finger - old good finger print 

• typing cadence - apparently everyone has 
its own unique typing cadence, (well I am not 
sure, after couple pints of beer...) 

• voice - tricky one as your voice may sound 
different sometimes, also useless for disabled 
people 



• DNA- the most accurate form of identifica- 
tion, the speed and collection of material 
might be an issue 

• palm veins - reading blood veins in your 
palm; hygienic and spots a chopped palm. 

Each of these biometric attributes has it own 
pros and cons, user acceptance, cross-over 
error rate, speed and the size of the template. 

Interestingly enough, some say that dual fac- 
tor is always more secure than single factor 
authentication. Please, allow me to disagree. I 
think that properly implemented biometrics 
(someone you are) is more secure than the 
combination of know and have methods. 
Why? Try to authenticate on a palm vein 
reader using a chopped (dead) palm. No luck! 
Remember that the primary objective of 
authentication is to establish the identity, i.e. 
verify it is me who is logging to the system, 
not someone who stole my password and 
RSA token/mobile phone. What do you think? 

However, the most common combination of 
authentication methods is "something you 
know" and "something you have". The reason 
is that they are, to date, the easiest ones to 
implement. You simply give something to us- 
ers and let them to set the passwords/PIN/ 
passphrase and that's it! Maybe this will 
change when biometric methods become 
more available, easier to use and accepted by 
us, humans. 

Now, let's see the regulatory side. The most 
recent standard to mandate dual factor 
authentication for remote access to the net- 
work is the Payment Card Industry Data Se- 
curity Standard (PCI DSS). This standard ap- 
plies to all companies that accept credit cards 
and explicitly talks about how to authenticate 
remote users. The next close match is 
ISO27002 (previously IS01 7999:2005) that 
loosely mentions HW tokens for authentica- 
tion. 

You company policy most likely mandates 
dual factor authentication as well. 

Integration 

Another important requirement for a remote 
access system is how it integrates with exist- 
ing IT infrastructure and database of 
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corporate users. Most organizations use Mi- 
crosoft Active directory. 

LDAP and Kerberos based authentication and 
authorization service capable of scaling into 
hundreds of thousands users with distributed 
database. Obviously these systems can also 
authorize users, i.e. is the user allowed to use 
RAS service at this time? 



PCI DSS 



ISO 27002 



Logging and monitoring 

The operational part is sometimes over- 
looked but it is important to get it right. It is 
easy to install a system and forget about it, 
virtually creating a channel into the enterprise 
network. Such system should send logs off to 
a remote logging 

server where it is important to setup a moni- 
toring and escalation system. This can be 
simple syslog based server with watchlog or 
alternatively an enterprise grade logging and 
monitoring system. 

Is it important to watch logs 24/7 for possible 
incidents? I think so. Also, it is important to log 
appropriate level of detail. Cisco VPN GW, for 
example, does log username, time, IP ad- 
dress of the remote client, version of the 
Cisco VPN client. However, it does not log the 
hostname and the operating system of the cli- 
ent computer. So if you want to check that the 



If your organization already has Active direc- 
tory, or any other LDAP based user database, 
it makes business sense linking the remote 
access system to it. Obvious benefits are: 

• up-to-date user database user creation, dis- 
abling and deletion take effect immediately. 
SOX auditors would call this "in timely man- 
ner". 

• user have just one set of credentials, i.e less 
chance they would write passwords on a 
piece of paper. 



user is using the company laptop to access 
the network, no chance. Perhaps, this should 
force you to purchase the end-point security 
add-on. 

End-point security 

This is currently the buzz-word. If you network 
and remote access systems do not provide 
endpoint security, you have a problem. 

Do you know what is connected to your net- 
work? You might know if you have 802. 1x and 
using non-exportable certificates. But do you 
know what is the level of compliance with your 
policies, patch levels and antivirus updates? If 
you do, you must have such system imple- 
mented. RAS is logically extension of the local 
area network and as such must have the 
same level of protection. Watch out for sys- 
tems from Microsoft, Cisco, Symantec and 
others. 



8.3 Implement two-factor authentication for remote access to the network by em- 
ployees, administrators, and third parties. Use technologies such as remote authen- 
tication and dial-in service (RADIUS) or terminal access controller access control 
system (TACACS) with tokens or VPN (based on SSL/TLS or IPSEC) with individual 
certificates. 



11 .4.2 User authentication for external connections 
Control 

Appropriate authentication methods should be used to control access by remote 
users. 

Implementation guidance 

Authentication of remote users can be achieved using, for example, a cryptographic 
based technique, hardware tokens, or a challenge/response protocol. Possible im- 
plementations of such techniques can be found in various virtual private network 
(VPN) solutions. Dedicated private lines can also be used to provide assurance of 
the source of connections. 
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Level of encryption 

This used to be the most discussed topic of all 
times in network security, don't you think? But 
with the arrival of public encryption algorithms 
and export restrictions lifted, it is easy to im- 
plement very strong encryption system. The 
most common is AES with various bit sizes. 
The encryption algorithm will determine the 
hardware requirements and the maximum 



numbers of users at one time. When configur- 
ing VNP gateways always aim for the most 
secure configuration that would be accepted 
by all clients. Fortunately, all enterprise com- 
puters should be configured the same way 
and eliminating incompatibilities. Following 
combinations of symmetric encryption and 
hash functions provide enterprise level of 
security: 



Encryption 


Key size (b) 


Hash 


Hash size (b) 


AES-256 


256 


SHA-2 


224, 256, 384, 512 


AES-192 


192 


SHA-1 


160 


AES-128 


128 







It is important to set the encryption key to pro- 
vide adequate security without affecting per- 
formance. For example AES-256 is approx. 
25% slower than AES-128 but provides dou- 
ble assurance (subject to random key mate- 
rial). 

Resetting access 

This is very interesting topic and each authen- 
tication technology uses different technique. 
The basic question is "How do I know you are, 
you are saying you are, over the phone?" This 
is the case if someone looses the password/ 
token and needs to connect to urgently finish 
the work. 

I would suggest this is the area where great 
considerations and testing should be done. 
Remember that service desk, usually dealing 
with these request, have one task and one 
task only: the service for the user does not 
work and needs to be restored promptly. That 
is why so many social engineering attacks 
use service desks. 



2. IP tunnel VPNs - full IP access to applica- 
tions needed. 

Let's go over them in little more detail. 

SSL VPN - This type of remote access is on 
rise as more applications are web enabled. 
Effectively SSL VPN act as reverse proxies 
with SSL off-load. My small example of pro- 
viding access to company Intranet was simple 
SSL VPN. 

Some of possible solutions: 

• Apache reverse proxy - discussed in my 
previous (IN)SECURE article 

• MS ISA server 

• Cisco VPN GW. 

End point security can be assured using spe- 
cial Java applets which user's computer must 
run in order to get through the VPN box. Such 
Java applet can run the code on the local 
computer and send results to the VPN gate- 
way and policy server for verification. 



Types of remote access 

The applications needed will determine the 
type of remote access system. There are two 
major type to look at: 

1 . SSL VPNs - Web based access to applica- 
tions. 



The advantage of SSL VPN systems is that it 
does not open IP tunnel to the network and 
can only reverse proxy Web based applica- 
tions or some special applications using Java 
applet. This limits potential attack surface to 
minimum. Obviously SSL VPNs receive rather 
increasing attention and are favorite means of 
remote access, if the application allows it. 
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Users can also connect from anywhere on the 
Internet with just the https port open and even 
behind a proxy server. 

One obvious disadvantage is that the client 
computer is connected to the Internet and 
company network at the same time. This is a 
threat to be included in the risk assessment. 
However, properly configured client personal 
firewall should minimize such risk. 

IPSec VPN - Old good IPSec. If you need to 
give users full access to the network. IPSec in 
ESP/tunnel mode is used. This mode can 
traverse NAT. End point security is achieved 
with special software running on the client 
which communicates with VPN GW and Ra- 
dius server in the back end. Both Cisco and 
Microsoft have their versions of Network Ac- 
cess Control systems. For obvious reasons 
IPSec VPNs do not work easily through the 
firewall and proxy server. 



The best practice is to enable "default route 
mode" where all traffic is routed to the IPSec 
tunnel, effectively disconnecting computer 
from the internet. The computer retains spe- 
cific routing to IPSec VPN GW though. 

In both solutions there should always be fire- 
wall between VPN GW and the internal net- 
work to limit what systems users have access 
to. The reason is, without the firewall once the 
user is connected to VPN GW, it has unlimited 
access to the network (subject to routing and 
internal segregation). It is good practice to 
limit access to internal systems with classifi- 
cation INTERNAL, like Intranet site, email 
systems, proxy server for internet access, file 
server with non sensitive data. 

Obviously the level of access the users get 
should correlate the classification of data and 
the used authentication technique. 



Virtually everyone has a mobile phone (or two). Banks use it to deliver 
authentication text messages so why not use it for remote access. 



Examples of interesting authentication 
systems for remote access 

These are definitely the most widely used 
authentication systems for remote access. 
Please note that these can be used for all 
types of the remote access systems de- 
scribed above. 

SecurelD - 1 believe is by far the most widely 
used solution for remote access authentica- 
tion. It is based on the time synchronization 
between a token with display and back-end 
RSA server. The number changes every min- 
ute and provides "something you have". The 
user is required to combine this number with 
PIN (something you know) on login. The prob- 
lem with this system us that the PIN is usually 
4 numbers, it is difficult to change and the its 
randomness is questionable. 

Text message - Virtually everyone has a mo- 
bile phone (or two). Banks use it to deliver 
authentication text messages so why not use 
it for remote access. The idea is rather simple: 
replace SecurelD token with the phone. The 
system can generate new number on every 



login attempt (successful or not) or in the 
regular intervals and send it to pre-configured 
mobile phone number within the user's profile. 
I personally use it and I like it over SecurelD: 

a) I do not need yet another device to carry 
with me all the time and 

b) I take care of my mobile phone, more than 
the RAS token. If the phone is lost I get the 
new SIM card with the same number, making 
the original one useless. 

The SMS message delivers the "something 
you have" part but where is "something you 
know"? Well it turns out that the system can 
use your Active Directory password instead of 
PIN. I like this more than PIN as I can control 
password policies for users, unlike PIN. See 
references section for more details. 

Certificate - 1 have covered the certificate us- 
age in the previous article. Obviously for en- 
terprise use it is important to make sure cer- 
tificates can be enrolled and distributed auto- 
matically and must be locked down to the 
computer or the user. The certificates provide 
"something you have". The other part is usu- 
ally the user's password. 
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Office link (T-Mobile UK product name) - Lit- 
tle exception among the others in the list. This 
is the name of the service provided by T- 
Mobile UK. A company, a client of T-mobile, is 
provided with a special virtual VPN network. 
Then it can give its workforce SIM cards pro- 
visioned for the service which makes sure that 
only these SIM cards are allowed to be a part 
of the Virtual VPN for the company. Second 
factor authentication is implemented by re- 
quiring username and password when logging 
in. The secure link between the company and 
T-Mobile is established by using an IPSec 
tunnel. 

This system is rather unique as it "outsources" 
remote access to a telecommunication com- 
pany and an enterprise does not have to pro- 
cure remote access hardware and software 
and operate it. 



Vladimir Jirasek is an experienced security professional currently working as the Head of System Security at 
T-Mobile UK. Recently migrated to Apple's Mac OS X operating system and is loving it. He holds CISSP- 
ISSAP, CISM and MCSE certifications and is the member of the ISSA UK chaper. He can be reached at 
vladimir.jirasek@googlemail.com and www.vjirasek.eu. 
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Conclusion 

The way we access applications inside the 
networks is fascinating subject. The bounda- 
ries between inside and outside gradually di- 
minish and we, as security professionals, face 
the new security threats. Having properly de- 
signed, secured and maintained remote ac- 
cess system is the key for the business to 
compete in fast moving world. It is no longer 
possible to fire an excuse "I am traveling, will 
login to my email and send it to you next week 
when I am back from my business trip." There 
will be no-one to send it to then! 

Let's design solutions that fit the purpose and 
help our businesses stay on a competitive 
edge. 
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Security Metrics: Replacing Fear, Uncertainty, and Doubt 

By Andrew Jaquith 

Addison-Wesley Professional, ISBN: 0321349989 



Security Metrics is the first comprehensive best-practice guide to defining, 
creating, and utilizing security metrics in the enterprise. Using sample charts, 
graphics, case studies, and war stories, Yankee Group Security Expert 
Andrew Jaquith demonstrates exactly how to establish effective metrics based 
on your organization's unique requirements. You'll discover how to quantify 
hard-to-measure security activities, compile and analyze all relevant data, 
identify strengths and weaknesses, set cost-effective priorities for 
improvement, and craft compelling messages for senior management. 
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Security Monitoring with Cisco Security MARS 

By Gary Halleen and Greg Kellogg 

Cisco Press, ISBN: 1587052709 



Cisco Security Monitoring, Analysis, and Response System (MARS) is a next- 
generation Security Threat Mitigation system. Cisco Security MARS receives 
raw network and security data and performs correlation and investigation of 
host and network information to provide you with actionable intelligence. 
Security Monitoring with Cisco Security MARS helps you plan a MARS 
deployment and learn the installation and administration tasks you can expect 
to face. Additionally, this book teaches you how to use the advanced features 
of the product, such as the custom parser, Network Admission Control (NAC), 
and global controller operations. 
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VPNs Illustrated: Tunnels, VPNs, and IPsec 

By Jon C. Snader 

Addison-Wesley Professional, ISBN: 032124544X 



By explaining how VPNs actually work, networking expert Jon Snader shows 
software engineers and network administrators how to use tunneling, 
authentication, and encryption to create safe, effective VPNs for any 
environment. Using an example-driven approach, VPNs Illustrated explores 
how tunnels and VPNs function by observing their behavior "on the wire." By 
learning to read and interpret various network traces, such as those produced 
by tcpdump, readers will be able to better understand and troubleshoot VPN 
and network behavior. 



CCNP ONT Official Exam Certification Guide 

By Amir Ranjbar 

Cisco Press, ISBN: 1587201763 



CCNP ONT Official Exam Certification Guide follows a logical organization of 
the CCNP ONT exam objectives. Material is presented in a concise manner, 
focusing on increasing your retention and recall of exam topics. 

You can organize your exam preparation through the use of the consistent 
features in these chapters. "Do I Know This Already?" quizzes open each 
chapter and allow you to decide how much time you need to spend on each 
section. 



CCDA Official Exam Certification Guide, Third Edition 

By Anthony Bruno and Steve Jordan 

Cisco Press, ISBN: 1587201771 



CDA Official Exam Certification Guide, Third Edition, is a best-of-breed Cisco 
exam study guide that focuses specifically on the topics for the DESGN exam. 

CCDA Official Exam Certification Guide presents you with an organized test 
preparation routine through the use of proven series elements and techniques. 
Exam topic lists and concise Foundation Summary information make 
referencing easy and give you a quick refresher whenever you need it. 



CCNP ISCW Official Exam Certification Guide 

By Brian Morgan and Neil Lovering 

Cisco Press, ISBN: 1 587201 50X 



CCNP ISCW Official Exam Certification Guide is Cisco exam study guide that 
focuses specifically on the objectives for the Implementing Secure Converged 
Wide Area Networks exam (642-825 ISCW). 

CNP ISCW Official Exam Certification Guide follows a logical organization of 
the CCNP ISCW exam objectives. Material is presented in a concise manner, 
focusing on increasing your retention and recall of exam topics. You can 
organize your exam preparation through the use of the consistent features in 
these chapters. 
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The role of log management in 
operationalizing PCI compliance 

By Jason Chan 



When people familiar with the Payment Card Industry Data Security Standard 
(PCI DSS) hear "logging" in conjunction with "PCI compliance," they natu- 
rally think of Requirement 10, entitled "Track and monitor all access to 
network resources and cardholder data." And it's true, Requirement 10 is 
quite explicit about the specific actions that must be logged, the details that 
must be tracked, and the length of time and manner in which logging data 
must be stored and retained. Similarly, when people discuss PCI compliance, 
there is an overemphasis and fixation on the yearly audit and submission of 
the Report on Compliance (ROC). 



While the annual audit and ROC submission 
is an important requirement for many organi- 
zations subject to the PCI DSS, as the field of 
general compliance management matures 
and we learn more about how to successfully 
operate compliance programs, it has become 
apparent that a different manner of approach- 
ing compliance is required. Instead of scram- 
bling to fill in checklists on a gap analysis and 
mounting a Herculean yearly effort to estab- 
lish, prove, and document compliance, it is 
more effective to regularly and consistently 
monitor and evaluate the controls, processes 
and compliance key performance indicators 



associated with the regulations that influence 
and apply to your organization. In this vein, it 
is also useful to consider additional ways that 
PCI-related log management can be lever- 
aged to regularly validate and evaluate 
compliance-related controls and processes. 

This article will explore some of the ways that 
log management can bring efficiencies to PCI 
compliance and how organizations can use 
log management to transform their overall 
compliance strategy from reactive to proac- 
tive. 
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Operationalizing Compliance 

First, let's review some definitions and back- 
ground. Generally speaking, operationalizing 
compliance refers to moving away from a 
purely audit-focused perspective on compli- 
ance toward a more long-term, everyday, in- 
tegrated and process-driven approach to 
compliance management. For PCI, this 
means obsessing less about the audit and 
ROC and instead focusing more attention on 
making the controls and processes required 
by the PCI DSS a core part of everyday IT 
and business operations. 

Pragmatically, this involves a number of is- 
sues: 

Comprehensive Understanding of Compli- 
ance Responsibilities 

One of the ideals of general compliance man- 
agement and operationalizing compliance is 
the development and implementation of a sin- 
gle set of policies, processes, and controls 
that will ensure compliance with all relevant 
requirements. Thus to begin in the quest for 
this ideal, the organization must be aware of 
and fully understand the entire scope of its 
relevant compliance responsibilities. 

This includes internal and external compli- 
ance influences, such as: 

• Industry mandates, including PCI. 

• Legal regulations such as SOX (Sarbanes- 
Oxley). 

• Governmental regulations such as California 
Senate Bill 1386 and FISMA (Federal Infor- 
mation Security Management Act). 

• Regulations enforced by business partners 
(e.g. supply chain compliance requirements). 

• Internal organizational requirements such as 
security policies, standards, and procedures. 

Once the scope of compliance requirements 
has been documented, approved, and inter- 
nalized organizationally, integrating compli- 
ance into everyday operations can move for- 
ward. Without this step, though, there is a 
danger of overlooking or misunderstanding 
compliance requirements, which can easily 
lead to implementing processes, policies, and 
controls that fail to address compliance 
needs. 



Organizational Alignment for Successful 
Compliance Management 

Creating a model that facilitates the efficient, 
bi-directional distribution of information on 
compliance-related activities; including gap 
analysis, remediation plans, control imple- 
mentation, and status reports is the goal of 
compliance-specific organizational alignment. 
People with responsibility for compliance (no 
matter how small) must understand their obli- 
gations and how to work toward achieving 
ongoing compliance. 

A PCI-specific example can be illustrated 
around requirement 12.7, which calls for em- 
ployee screening (i.e. background checks) for 
personnel with access to cardholder data. 
With effective organizational alignment, the 
HR business unit will be fully aware of this re- 
quirement, how to bridge any gaps if the cur- 
rent screening process is insufficient, and the 
timelines and documentation required to 
demonstrate and maintain compliance. 

Continuous and Automated Validation of 
Controls and Processes 

To ensure effectiveness, it is important to be 
able to efficiently evaluate and validate the 
compliance-related controls that have been 
implemented. This concept is at the core of 
operationalizing PCI compliance- it is how the 
best practices espoused by the Data Security 
Standard are embodied, implemented, and 
evaluated in daily practice. 

For example, PCI requirement 2.3 mandates 
the use of encrypted protocols and applica- 
tions to administer systems over the network. 
A reasonable control to implement this re- 
quirement would be the use of SSH to re- 
motely administer systems. Thus, this control 
would be specified in system configuration 
and administration standards (PCI require- 
ment 2.2), and the installation of appropriate 
software would be included as a part of stan- 
dard system builds. Of course, once systems 
are built and deployed, the controls must be 
validated to ensure continuous compliance. 

To validate this control, logs can be examined 
to detect the use of unencrypted and insecure 
protocols (e.g. Telnet, r-services) to administer 
in-scope systems. 
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If your firewall logs show clear text protocols 
being used to access systems or your system 
logs show logins via Telnet, this control has 
been subverted or has otherwise failed. Log 
management can automate the validation of 
this control in a fairly straightforward manner; 
for example, a weekly report could be sched- 
uled and executed to detail events that violate 
this control, and follow up and remediation 
can be planned as a result. 

Thus, to fulfill this general goal of continuous 
and automated process and control validation, 
each implemented control will ideally have a 
clear and straightforward means by which 
both scheduled and ad hoc validation can be 
performed. 

Using Log Management to Validate Com- 
pliance Controls 

A real benefit associated with the use of log 
management for control validation is that no 
specific control instrumentation is required. 
The use (and misuse) of controls creates log 
messages that serve as permanent artifacts 
and evidence of the controls' efficacy. 

By implementing log management to collect, 
store, analyze, and present this evidence, or- 
ganizations are equipped with the data that 
allows them to: 



PCI Requirement 



1.1.1 - Testing and approval 
of external network connec- 
tions and firewall changes 



1.1.5-1.1.7, 1.2-1.4- 
Documentation and justifica- 
tion of ports and protocols 
used in the PCI environment; 
Control and restrict specific 
traffic flows within the PCI 
environment 



Requirement 2 outlines the configuration 
standards required for systems deployed in 
the payment card environment. Specific secu- 
rity configuration settings are mandated for 



• Ensure continuous compliance. 

• Demonstrate control effectiveness. 

• Identify gaps in control coverage. 

• Fine-tune controls, operating procedures, 
and workflows. 

• Facilitate audit-related data gathering and 
analysis. 

To provide a better illustration of how this 
ideal is put into practice, this section offers an 
introduction to some of the specific PCI re- 
quirements and associated controls that can 
be validated through log management. A brief 
overview of each of the major PCI require- 
ments is provided, and accompanying tables 
are used to enumerate the particular controls 
and processes related to each requirement 
and sample log messages that can be used to 
validate, evaluate, and demonstrate control 
effectiveness. 

Build and Maintain a Secure Network (Re- 
quirements 1 and 2) 

Requirement 1 describes the network traffic 
that is generally permitted in the PCI envi- 
ronment, and the policies and network-based 
access controls that must be in place to re- 
strict traffic appropriately. Traffic must be lim- 
ited to necessary data flows (1 .1 .5), and spe- 
cific controls are required for DMZ and inter- 
nal systems (1 .3 and 1 .4). 



Relevant Log Messages 



• Firewall policy and configuration 
changes 

• Router configuration changes 
■ Firewall and router reboots 



■ Accepted firewall connections 

■ Denied firewall connections 



systems (2.1 and 2.2), and encrypted applica- 
tions and protocols are required for systems 
administration (2.3). 



lated Controls and Proces; 



• External connection policy 

• Change management process 

• Firewall and network 
management policies 



• Authorized data flows and applica- 
tions in the payment card environ- 
ment 

• Network traffic whitelists/blacklists 
(i.e. explicitly allowed or denied serv- 
ices) 
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PCI Requirement 


Related Controls and Processes 


Relevant Log Messages 


2.2.2 - Disable unnecessary 
and insecure services 

2.3 - Encrypt administrative 
access to PCI systems 


• System configuration and installa- 
tion stanaaras 

• System administration standards 

• Application whitelists/blacklists (i.e. 
explicitly allowed or denied services) 


■ Telnet, FTP, and r-service login 
messages 

■ Firewall and router ACL accept 
messages for insecure or unen- 
crypted services 



Protect Cardholder Data (Requirements 3 
and 4) 

Requirement 3 spells out the specifics on how 
cardholder data can be stored. This data 
should be maintained for the minimum time 



required for business purposes (3.1), authen- 
tication data cannot be stored after card 
authorization (3.2) and the Primary Account 
Number must be appropriately protected dur- 
ing storage (3.4). 



PCI Requirement 


Related Controls and Processes 


Relevant Log Messages j 








3.4 - Render PAN (Primary 
Account Number) unread- 
able when stored 


• Data storage standards 

• Data classification policy 

• Confidential data processing and 
access policy 


• Transaction and application logs 
containing unencrypted card num- 
bers 


3.5.1 - Restrict access to 
encryption keys 


• Key management standards and 
procedures 


• File and object access records for 
encryption keys 



Requirement 4 mandates the use of appropri- transmitting cardholder data over wireless and 
ate controls (e.g. TLS or SSL, WPA2) when public networks. 



PCI Requirement 


Related Controls and Processes 


Relevant Log Messages 








4.1 - Use strong cryptogra- 
phy when transmitting card- 
holder data over open, public 
networks 


• Data access, transmission, and dis- 
tribution policies and standards 

• Application development and man- 
agement policies 


■ Firewall and router ACL accept 
messages for insecure or unen- 
crypted services 



Maintain a Vulnerability Management Requirement 5 describes the anti-virus con- 

Program (Requirements 5 and 6) trols that must be implemented on payment 

card systems, and includes requirements for 
deployment (5.1) and configuration (5.2). 









5.1 - Deploy anti-virus soft- 
ware 


• Anti-malware infrastructure 

• System protection policies 

• Desktop and server configuration 
standards 

• Patch and software installation 
policies and processes 


• Anti-virus application installation 
messages 

• Virus detected, cleaned, quaran- 
tined 

• Virus signature file installed or up- 
dated 


5.2 - Ensure anti-virus 
mechanisms are current, ac- 
tive, and capable of generat- 
ing logs 
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Requirement 6 enumerates the change man- software development (6.3 and 6.5) and the 

agement and systems development controls required parameters for patch and update 

that must be implemented to ensure compli- management (6.1) and change control (6.4). 
ance. This requirement outlines standards for 



PCI Requirement 




ated Controls and Process 






Relevant Log Messages 


6.1 - Ensure systems are 
patched with the latest ven- 
dor security updates 


• Patch and software installation 
policies and processes 

• Incident response policy and proc- 
ess 


• Patch installed 

• Software updated 


6.4 - Follow change control 
procedures for all configura- 
tion changes 


• Change management process 

• Enforcement of maintenance win- 
dows 


• System reboots 

• Patch installed 

• Software updated 



Implement Strong Access Control and states that access must be controlled 

Measures (Requirements 7, 8, and 9) based on job function (7.1) and be configured 

in a default deny manner. 

Requirement 7 describes the access control 
restrictions needed for payment card systems, 









7.1 - Limit access to sys- 
tems and information based 
on job requirements 


• Account management process and 
policy 

• Access control policy 

• Role-based access controls 


• User account modifications 

• User group modifications 

• Database access (CRUD - Create, 
Read, Update, Delete audit records) 

• File access records 

• Login messages 


7.2 - Establish a system to 
restrict user access based 
on need-to-know and default 
deny 



Requirement 8 sets forth the manner in which Authentication requirements are specified (8.2 

organizations must implement unique identifi- and 8.3), and password standards are pro- 

ers for users of payment card systems to en- vided (8.4 and 8.5). 
sure auditability and traceability of events. 









8.1, 8.5.8 - Identify all users 
with a unique ID before al- 
lowing access; do not use 
group, shared, or generic 
accounts 


• User provisioning process 

• Separation of duties 

• Systems administration process 
and policy 


• User logins (system, application, 
database) 

• Shared user logins (e.g. root, ad- 
ministrator, application and service 
accounts) 

• Accounts created 


8.3 - Implement two-factor 
authentication for remote ac- 
cess 


• Remote access policy 


• VPN logins 
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PCI Requirement 


Related Controls and Processes 


Relevant Log Messages 


8.5.1 - Control addition, de- 
letion, and modification of 
user IDs and other identifiers 


• User provisioning process 

• Account maintenance procedures 


• Accounts created, deleted, modified 

• Groups created, deleted, modified 


8.5.4 - Immediately revoke 
access for any terminated 
users 


• Deprovisioning policy and proce- 
dures 

• Employee termination policy 


• User deleted 

• User disabled 


8.5.6 — Enable accounts for 
vendor remote access only 
when required 


• Vendor remote access policy 

• Enforcement of maintenance win- 
dows 

• Change management process 


• User logins (vendor user accounts) 

• VPN logins 


8.5.13 - Lockout user ac- 
counts after six failed login 
attempts 


• User account management policy 


• Failed logins 

• Account lockouts 


8.5.16 - Authenticate all ac- 
cess to any database con- 
taining cardholder data 


• Data access policy 

• Access control policy 


• Database logins 



Physical security controls for payment card controls (9.1 through 9.4) and media (e.g. 

environments are described in Requirement tapes, disks, paper) security, distribution and 
9. This includes physical access and visitor destruction (9.5 through 9.10). 



PCI Requirement 




ated Controls and Processes 




Relevant Log Messages 




9.1 - Use facility entry con- 
trols to limit and monitor 
physical access 


• Physical security controls 

• Facility access policy 


• Badge reader activity (e.g. entries, 
failures) 



• Time synchronization (to support the integ- 
rity and usability of logs) (10.4) 

• Centralization and protection of logs (10.5) 

• Log review and analysis (10.6) 

• Log retention (10.7) 

Requirement 11 enumerates the testing and 
monitoring controls that must be implemented 
for payment card environments. 

This includes regular control assessment, 
vulnerability assessments and penetration 
testing (11.1 through 11.3) and the use of IDS/ 
IPS and file integrity monitoring software (11.4 
and 11.5). 



Regularly Monitor and Test Networks (Re- 
quirements 10 and 11) 

Requirement 10 describes the foundational 
requirements for audit trails and log manage- 
ment within PCI environments. As such, every 
sub-requirement in this section is related di- 
rectly to the collection, storage, protection, 
integrity and/or retention of logs. 

This requires covers the core functions of log 
management, including: 

• Enabling and configuring logging (10.1 and 
10.2) 

• Details required for audit trail events (10.3) 
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PCI Requirement 


Related Controls and Processes 


Relevant Log Messages 


11.4- Use IDS (Intrusion 
Detection Systems) and IPS 
(Intrusion Prevention Sys- 
tems) to monitor traffic and 
alert personnel 


• Network monitoring policy 

• Incident response program and 
procedures 

• Patch and software installation 
policies and processes 


• IDS/IPS alerts 

• IDS/IPS signature updates 


11 .5 - Deploy file integrity 
monitoring systems (FIMS) 
to alert personnel to unau- 
thorized modifications 


• System monitoring processes 

• Change management process 

• Incident response program and 
procedures 


• FIMS alerts 



Maintain an Information Security Policy compliance, including operational procedures 

(Requirement 12) (12.2), usage policy (12.3), and incident re- 

sponse (12.9). 

Requirement 12 specifies the information se- 
curity policies and procedures needed for PCI 









12.2 - Develop daily opera- 
tional security procedures 
consistent with PCI require- 
ments 


• System monitoring processes 

• Incident response program and 
procedures 

• Security standard operating proce- 
dures 


• Logins to security systems (to vali- 
date daily use and monitoring of con- 
trols) 

• Log review messages (to validate 
regular review of logs) 


1 2.9, 1 2.95 - Implement an 
incident response plan - in- 
clude alerts from intrusion 
detection, intrusion preven- 
tion, and file integrity moni- 
toring systems 


• IDS/IPS/FIMS alerts 



Conclusion 

As organizations become more familiar with 
the day to day requirements of managing PCI 
and other compliance initiatives, they are 
naturally looking for ways to both streamline 
their efforts and ensure the effectiveness of 
their controls. Log management dovetails well 
with this movement; satisfying log collection, 
retention, protection, and analysis require- 
ments as well as providing the infrastructure 



for continuous compliance and control valida- 
tion. 
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Security 




Now Available at a Browser Near You 

Software-as-a-Service (SaaS) has been described as 
the most disruptive delivery model to ever face the enterprise 
software market for one simple reason: it works 



Qualys is the first company to deliver an on demand solution for security risk and compliance 
management. QualysGuard*' is the widest deployed security on demand platform in the world, 
performing over 150 million IP audits per year — with no software to install and maintain. 

For a free trial, go to a browser near you. 

www.qualys.com/SaaSTrial 
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Interview with Jeremiah Grossman 
CTO of WhiteHat Security 

By Mirko Zorz 



Jeremiah Grossman founded WhiteHat Security in 2001. Prior to WhiteHat, he 
was an information security officer at Yahoo! responsible for performing 
security reviews on the company's hundreds of websites. Jeremiah is a 
world-renowned leader in web security and frequent speaker at the Blackhat 
Briefings, NASA, Air Force and Technology Conference, Washington Soft- 
ware Alliance, ISSA, ISACA and Defcon. He is a founder of the website 
Security Consortium (WASC) and the Open website Security Project 
(OWASP), as well as a contributing member of the Center for Internet Secu- 
rity Apache Benchmark Group. 



Let's start with an easy one. How did you 
get interested in Web security? 



many security professionals wonder what 
working at such a large company entails. 



Most of my technology background originates 
from Web development. I've created many 
websites, coded in several server-side (Perl, 
C, Java) and client-side (JavaScript, Flash, 
Java) languages, studied HTTP extensively, 
toyed with every major Web browser since 
Mosaic, and am very familiar with Apache and 
MySQL. But, it really wasn't until the summer 
of 1999 that I took an active interest in Web 
security. The mainstream media published 
several articles stating that the Web wasn't 
secure (nothing new here), but the big guys 
had (Yahoo, Amazon, eBay, etc.) fixed the 
problem (They did!? How!?). 

To satisfy my curiosity, I proceeded to hack 
into my own Yahoo! Mail account and quietly 
reported my results back to them. A few 
emails later, Yahoo! offered me a position as 
"The Hacker Yahoo." And the rest, as they 
say, is history - tinyurl.com/2fmkwv 

What are the most important lessons that 
you learned while working as the Informa- 
tion Security Officer at Yahoo? I'm sure 



Yahoo! was/is big, really big. It's so big it's 
hard to wrap your mind around: at the time, 
my best count was roughly 600 websites, 
17,000 publicly facing Web servers, and 120 
million users. 

Working for Yahoo!, or being responsible for 
the security of any popular website, is trial by 
fire. Think about the fact that there are more 
than 1 billion people across the globe with ac- 
cess to your website all the time, and a cer- 
tain percentage (we thought 1%) is malicious. 
As demanding as this type of job is, the expe- 
rience is also extremely rewarding and highly 
recommended for anyone in website security. 
Without having been in that role, it's difficult to 
appreciate which security strategies actually 
work, versus the ones that technically should, 
but don't. 

Lessons learned: 

• IDS says everyone is attacking you with eve- 
rything they got all the time 

• A hacker, who just has to find a single 
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vulnerability, has it easier than a security pro- 
fessional, who has to defend against all vul- 
nerabilities all the time 

• Everyone with a website gets a "vulnerability 
assessment," probably several per day. 
Whether you pay for the results or not is an- 
other matter 

• Use security obscurity to your advantage 

• Security solutions that work for smaller web- 
sites don't necessarily scale for the larger 
ones. 

This year you've been selected as one of 
the Top 25 CTO's according to InfoWorld. 
How does it feel to have your work recog- 
nized and being put head to head with 
other well known industry giants? 

It's an honor. "Surreal" is the best word I can 
use to describe being listed next to names 
from top companies like VeriSign, 3Com, Mo- 
torola, and Credit Suisse. And while I'm re- 
ceiving a lot of the credit recently, which I ap- 
preciate, it's really the result of years of tire- 



less effort from many amazing people at 
WhiteHat Security and around the webappsec 
community. I was always fond of the quote by 
Sir Isaac Newton, "If I have been able to see 
further, it was only because I stood on the 
shoulders of giants." 

Has the award put a spotlight on WhiteHat 
Security? 

It's funny, I was just getting used to seeing our 
name in the press about every week or so, 
then this happened. Now it's almost every day 
we're mentioned and it's actually been difficult 
for us to keep up with all the inbound interest 
in WhiteHat Sentinel. Part of the build up is of 
course press generated. But, most of the in- 
crease is simply due to the complexity and 
difficulty of Web application security and the 
need for easy-to-use vulnerability manage- 
ment services. We're really excited about the 
future and we seem to be at the right spot at 
the right time. 



USE SECURITY OBSCURITY TO YOUR ADVANTAGE 



With the constant evolution of threats, 
what kind of technology challenges does 
WhiteHat Security face? 

It's interesting. It's not so much the new at- 
tacks or techniques that keep us on our toes, 
but the adoption of new Web development 
technologies such as Ajax, Flash, Java, etc. 
Websites using these technologies are really 
no more or less secure. But, what is more dif- 
ficult is scanning for the vulnerabilities within 
them. Today's Web pages share more simi- 
larities with running applications instead of 
traditional HTML documents. This makes 
"crawling" the website that much harder. By 
extension, the attack surface is more difficult 
to define, and as a result black box "fuzzing" 
is constantly challenged. 

In your opinion, how has the Web security 
scene evolved in the last few years? 

It might sound odd, but one big difference for 
me is that only a few years ago people barely 



knew that "Web application security" existed 
or that firewalls and SSL didn't protect a web- 
site. 

Today, almost everyone I talk to, from coast to 
coast and country to country, has that figured 
out. Now everyone wants to know what the 
latest trends and best practices are. The other 
big difference is the availability of knowledge. 
Before, the information people needed to se- 
cure a website really wasn't documented. 
Now, people have access to websites with 
hundreds of white papers, presentations, and 
books right at their fingertips. If you want to 
secure a website, the information to do so is 
out there. 

Have new development techniques 
brought more problems? 

Some experts like to say that Ajax or Web 2.0 
is the harbinger of new attacks. I'm not one of 
them. Fundamentally, we're dealing with the 
same problems in the same locations. 
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The challenges that Ajax brings land more on 
the security vendor than on the enterprise. We 
have to find vulnerabilities in these custom 
Web applications and Ajax-enabled applica- 
tions are much more difficult to do so. Read 
any of Network Computing's scanner product 
reviews and you'll see what I mean 
(tinyurl.com/2ypwo6). 

What are the security tools/services that 
you use on a daily basis and couldn't live 
without? 

I've blogged about the speed hack contests 
we hold at the office. This is where we race to 
find the first and the best vulnerability in a 
never-before-seen-website. For speed, noth- 
ing beats Firefox, the Web Developer Toolbar, 
and having the Paros or Burp proxy handy. If I 
happen to get stuck on an XSS filter, call up 
RSnake's XSS cheat sheet, use the encoders 
at the bottom, and that usually does the trick - 
ha.ckers.org/xss.html 

If I woke up tomorrow back at Yahoo!, or was 
responsible for the security of any website, (I 
know I'm biased here) the honest answer is 
I'd get the Sentinel Service deployed immedi- 
ately. The service is easy and complete, but 
most of all a security professional's time is 
precious. Sure they could do the vulnerability 
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A significant part in the process of devel- 
oping a complex enterprise website is en- 
suring that the customer data being used 
on that website is secure. 

What do you see as the biggest threats to 
that security? What are the most common 
mistakes you see your customers make? 

With 125+ million websites, and most of them 
riddled with vulnerabilities, I think it's safe to 
say the mistakes have already been made. At 



assessment work themselves with each site 
update, but it's a poor use of their time and 
expertise. Their time and expertise is better 
spent focusing on strategic solutions and big 
picture thinking, rather than trying to identify, 
prioritize and weeding through the next hun- 
dred Cross-Site Scripting, SQL Injection, or 
whatever other vulnerabilities there might be. 

Are websites that you assess more inse- 
cure today in comparison to 3 years ago? 

I'd say today's websites probably have less 
vulnerabilities, but they've also never been 
more at risk. 

While SQL Injection seems to be on the de- 
cline and Cross-Site Scripting filters are far 
more common, the number of attackers and 
attack techniques has increased dramatically. 

The bad guys go where the money is and 
right now that's the Web. To monetize, all they 
have to do is capitalize on one single vulner- 
ability. So, if an organization is only going af- 
ter the low hanging fruit, that isn't going to 
help much, since Web attacks are targeted. 
Websites that do better are the ones whose 
security posture makes is hard enough on the 
bad guy where it's in their best interest to try 
some place else. 
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this point, we're trying to stop the new holes in 
the dam and plug the existing ones. Here's 
the advice I give to everyone: 

1) Asset Tracking - Find your websites, as- 
sign a responsible party, and rate their impor- 
tance to the business. Because you can't se- 
cure what you don't know you own. 

2) Measure Security - Perform rigorous and 
on-going vulnerability assessments, prefera- 
bly every week. Because you can't secure 
what you can't measure. 



TODAY'S WEBSITES PROBABLY HAVE LESS 
VULNERABILITIES, BUT THEY'VE ALSO NEVER 

BEEN MORE AT RISK. 
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3) Development Frameworks - Provide pro- 
grammers with software development tools 
enabling them to write code rapidly that also 
happens to be secure. Because, you can't 
mandate secure code, only help it. 

4) Defense-in-Depth - Throw up as many 
roadblocks to attackers as possible. This in- 
cludes custom error messages, Web applica- 
tion firewalls, security with obscurity, and so 
on. Because 8 in 10 websites are already in- 
secure, no need to make it any easier. 

You are one of the authors of the recently 
released "Cross Site Scripting Attacks: 
XSS Exploits and Defense". How long did 
the writing process take? What was it like 
to cooperate with other authors? 

The writing process took about six months. 
Generating hundreds of pages coherent and 
compelling content is challenging to say the 
least, even with five of the best subject matter 
experts working in parallel. It was great get- 
ting to review the work of the authors on the 
fly and see the project come together. And, 
people really seem to be excited about the 
book and enjoying the read. 



For me, the feedback and reviews we've been 
receiving from the industry is what really 
made it all worthwhile. Knowing that your 
work is useful to so many is a great feeling. 

Web security has been getting a lot of at- 
tention in the past 2 years and an increas- 
ing number of people is starting to pay at- 
tention. What resources would you rec- 
ommend to those who want to learn more 
about Web security? 

There are a lot of resources out there and the 
blogosphere has been one area that has ex- 
ploded. Here are some good resources: 

• Robert "RSnake" Hansen (ha.ckers.org), 

• Planet Web Security 
(planet-websecurity.org) 

• Mine :) (jeremiahgrossman.blogspot.com) 

• Matasano (www.matasano.com/log) 

• Web Application Security Consortium 
(www.webappsec.org) 

• Open Web Application Security Project 
(www.owasp.org) 

• Web Security Mailing List 
(www.webappsec.org/lists) 



SOFTWARE VENDORS HAVE A RESPONSIBILITY FOR THE 
DATA THEY PROTECT AND THE PRODUCTS THEY SELL 



In general, what is your take on the full 
disclosure of vulnerabilities? Should ven- 
dors have the final responsibility? 

At the end of the day, website owners and 
software vendors have a responsibility for the 
data they protect and the products they sell. 
I've been on most sides of the full-disclosure 
debate (website owner, software developer, 
security researcher, and business owner) and 
can appreciate the concerns raised. I'm a 
pragmatist. When responsible for security, I 
have no expectation that anyone is going to 
share any vulnerability information with me 
ahead of time. I hope they would before going 
public, but it would be irresponsible to depend 
on it and hopeless to demand it. I also think 
describing the messenger as "unethical" or 
worse only gives the impression that company 
isn't taking full responsibility for the incident. 



Instead, try to be open, investigate what 
caused the problem, solve it, and move on. 

What are your plans for the future? Any 
exciting new projects? 

While specific projects I'm working on at 
WhiteHat must remain confidential, my 
"agenda" is twofold. Help organizations find 
the vulnerabilities in their websites, no matter 
how big or how often they change. If that 
means scaling big enough to scan the entire 
Internet every week, so be it. And, when we 
know where the vulnerabilities are, provide 
organizations with options to get them fixed, 
quickly and with the least amount of trouble. 
Once someone decides they want to improve 
the security of their website, I want to be able 
to provide them with a game plan to do so 
that makes sense. 



www.insecuremag.com 



36 



The geek shall inherit the earth! This is the slogan that has reverberated out 
from Silicon Valley from the mid-90s, as we all realized that technology was, 
actually, fun, interesting, essential. Geek chic took over the worlds of film, 
fashion - and even finance. Suddenly it was cool to be into computers. 

But the rise of the geek didn't just confine itself to the light-hearted enter- 
tainment, start-ups that went stratospheric, or successful transformations of 
'old economy' businesses. Computers and crime have come together. 
Mobsters are no longer the fast-talking, pin-striped, gun-toting caricatures of 
Hollywood legend. Criminal organizations are just as likely to be behind 
hacking and phishing networks as illegal gambling rackets and gun-running 
operations - with the same levels of profitability. 



These days the weapons of choice are not 
sawn-off automatics, or revolvers fitted with 
silencers. It's much more likely to be illicitly 
gathered passwords, user-names and dates 
of birth. And of the armory at their disposal, 
keyloggers are an increasingly popular 
choice. 

Available in either software or hardware form, 
keyloggers record every stroke made on a 
keyboard, and compile the data gathered to 
reconstruct login details, PINs, encryption 
codes, mothers' maiden names or any other 
form of security information. From there it is 
but a short journey to inviting vistas of identity 



theft, industrial espionage, blackmail, or sim- 
ple credit card misappropriation. 

Successful surveillance 

In an age when CPUs are increasingly central 
to so many aspects of our lives, and the qual- 
ity of information is a key differentiator be- 
tween businesses, it is not surprising that key- 
loggers have proved to be so attractive to 
criminals. 

Despite this, the keylogger/criminal connec- 
tion has on occasion worked in the interests 
of the good guys. 
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In one of the earliest examples of cyber-crime 
fighting, Nicodemo Scarfo Jr, a well- 
connected member of the New York and 
Philadelphia mobs, was brought down by the 
Magic Lantern keylogger that the FBI installed 
on his computer via a Trojan. Certainly not be 
the typical bullets-and-bloodshed take-down 
of popular imagination, it was still enough to 
indict him for running an illegal gambling ring 
and loan sharking. 

At the time the story raised a number of con- 
cerns about computer privacy. Now it serves 
as a useful reminder that there is a positive 
side to keylogging. As well as serving the in- 
terests of law enforcement agents, keyloggers 
can help employers maintain productivity by 
ensuring that staff are working on appropriate 
projects. They can protect valuable band- 
width, by spotting when unnecessary applica- 
tions have been downloaded and ensure op- 
timum use of networked resources by en- 
couraging personal web or system use is kept 
to appropriate levels. 



Keyloggers can even be used in the interests 
of child protection, enabling parents to check 
their children's computer activities, while giv- 
ing those children a degree of independence 
and privacy. 

Keyloggers and criminals 

Nonetheless, it is still the darker side to these 
surveillance technologies that is more familiar 
to the majority of IT and security profession- 
als. Using keyloggers gives thieves a veil of 
anonymity: they can plunder the treasure- 
trove of inter-connected corporate systems 
and storage devices at will, with very little 
chance of detection. 

In the wrong hand therefore, keyloggers can 
damage business relationships, financial 
standing, and reputations. They can even 
cause an organization to breach major pieces 
of legislation such as European Data Protec- 
tion and Human Rights Acts, or the Sarbanes 
Oxley Act in the States. 



Using keyloggers gives thieves a veil of anonymity. 



Nor is it just large corporates that experience 
keylogging attacks. They may well be the 
most attractive targets, but individuals' per- 
sonal details are at risk from a carefully lo- 
cated keylogger - and far less likely to be 
adequately protected. In fact, any individual or 
organization that accesses, inputs or stores 
valuable information is at risk. 

Software or hardware 



Fortunately, detection is becoming much eas- 
ier. The attractions of the bigger corporates 
are tempered by the increasing awareness of 
IT security managers, who keep machines 
protected with the latest anti-virus software to 
prevent Trojans and spyware entering the 
system in the first place. Should a keylogger 
slip through the net, standard protection tools 
that monitor the status of a computer can de- 
tect and remove them. 



Nicodemo Scarfo was caught out by a Magic 
Lantern, software keylogger that infected his 
machine through a Trojan, and this is the way 
that the majority of keyloggers work. The ad- 
vantage of the software versions is that they 
are easy to install - despite the constant 
warnings, too many people lose the war be- 
tween curiosity and caution and open up spy- 
ware, Trojan or virus-infected files and emails. 
Software also enables thieves to infect a huge 
number of machines and gather the data 
quickly, easily and remotely. 



Unfortunately, security managers are locked 
in a game of one-upmanship with criminals 
who have followed the lead of the most suc- 
cessful businesses and taken the maxim 'in- 
novate or die' to heart. As security measures 
improve, so criminals find new ways to breach 
them. In this case that means hardware 
keyloggers. These devices are much harder 
to detect than software since they do not in- 
stall any code onto the machine and cannot 
be spotted by traditional anti-virus or anti- 
spyware tools. 
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Installing the hardware 

Hardware keyloggers take two main forms. 
The first, and probably the most common, is a 
small device installed at the back of a PC be- 
tween the keyboard and its connection to the 
machine. 

As with all hardware keyloggers, it requires 
the attacker to have physical access to the 
computer in question, both to install and later 
retrieve the device. With social engineering 
growing in sophistication, this doesn't pose a 
problem to the determined individual, particu- 
larly as it takes a matter of seconds to install, 
and requires no technical skill. 

These kinds of keyloggers may only be ap- 
proximately 1 .5 inches long, but they have a 



memory capacity that allows up to two million 
key strokes to be recorded - which represents 
about five years' worth of typing for the aver- 
age computer user. 

Happily, this type of hardware keylogger is 
also the easiest to detect visually - provided 
you know what to look for. 

More insidious forms of keyloggers are built 
into the keyboard. Thieves will either replace 
the keyboard completely or dismantle it, insert 
a keylogging device, and re-assemble it. 
Naturally this requires a greater degree of skill 
on the part of the criminal, and takes more 
time to complete. But the chances of visual or 
manual detection are almost zero. 



Organizations can defend themselves against keyloggers. 



Self-defense 

The good news is that organizations can de- 
fend themselves against determined keylog- 
gers. The first step, as with all effective secu- 
rity measures, is to educate and train users to 
raise awareness and create a culture of indi- 
vidual responsibility. The number of PCs in 
large companies makes it impractical for the 
IT security manager to check the back of 
every single box and every single keyboard 
manually. Users who carry out basic monitor- 
ing of their own equipment greatly increase 
the chances of detecting any rogue devices. 

Secondly, organizations should look at alter- 
natives to desktop PCs. Although still suscep- 
tible to hardware keyloggers, the inbuilt 
keyboards of laptop computers are far harder 
to tamper with. However, greater use of mo- 
bile devices brings new security challenges, 
which must be balanced against the reduced 
threat from keyloggers. 

Then there are the secure tokens, smart 
cards or other devices that are used to pro- 
vide a second layer of authentication after 
user names and passwords. These work by 
having a constantly changing passcode, 
meaning that any data gathered by a 



keylogger is immediately invalid, and cannot 
be used to sneak into the system. 

Organizations should also consider increasing 
the use of drop down menus for gathering in- 
formation. Instead of typing in information with 
trackable keystrokes, drop downs enable us- 
ers to select characters or words with the 
mouse, which a keylogger cannot record. 

However, in addition to these more general 
security tools, there are a number of applica- 
tions, recently on the market, that can auto- 
matically identify hardware keyloggers. These 
software solutions disable the devices by in- 
tercepting and blocking communications be- 
tween it and the targeted computer. The soft- 
ware also alerts the IT department to the 
presence of keyloggers. 

The secure organization 

Keyloggers are such a potent source of dan- 
ger because they exploit the gap created by 
not one but two notoriously weak areas of IT 
security. The first is our ongoing reliance on 
passwords. Sophisticated intrusion prevention 
or segmented access authorization do add 
extra layers of protection to corporate net- 
works, but they still cannot distinguish 
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between a legitimate user with the right 
password and a malicious one. 

The second is old-fashioned physical security, 
often forgotten when devising strategies to 
protect virtual assets. Since hardware keylog- 
gers require physical access to the targeted 
machine the criminal must be in the presence 
of that computer, even if it's only for a matter 
of seconds. If they are to protect themselves 
against keyloggers, organizations have to 



give the broadest possible definition to IT se- 
curity. That means policies to help employees 
recognize social engineering attacks, and 
even conducting thorough background checks 
on auxiliary staff who have access to the 
building. 

After all, if you think your data is worth pro- 
tecting, then someone else will think it is 
worth stealing. 



Sacha Chahrvin has been the UK managing director of SmartLine for two years. He has a BA in Business 
Studies and has spent more than 10 years in the software industry. Before SmartLine, Sacha worked for a 
number of reseller organisations supplying software licensing to fortune 500 accounts, with his last role being 
global account manager at Reuters. 
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Get the largest selection of the best security software for 
Windows, Linux, Mac OS X and Windows Mobile platforms. 

20 CATEGORIES 
2.6 MILLION DOWNLOADS SO FAR 
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WINDOWS - WinSCP 

http://www.net-security.org/software. php?id=6 

WinSCP is an open source SFTP and SCP client for Windows using SSH. Its main function is 
safe copying of files between a local and a remote computer. 

LINUX - Firewall Builder 

http://www.net-security.org/software. php?id=230 

Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various fire- 
wall platforms. In Firewall Builder, a firewall policy is a set of rules; each rule consists of abstract 
objects that represent real network objects and services (hosts, routers, firewalls, networks, 
protocols). 

MAC OS X - The DoorStop X Security Suite 

http://www.net-security.org/software. php?id=674 

The DoorStop X Security Suite is an integrated, comprehensive approach to securing your 
Macintosh on the Internet. 



POCKET PC - Pocket Warrior 

http://www.net-security.org/software. php?id=575 

Pocket Warrior is a Pocket PC WiFi 802.11b Prism auditing software. 



To submit a software for consideration e-mail software@net-security.org 
www.insecuremag.com 
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The underlying goal of typical "hacker" sessions or seminars is to get atten- 
tion and create awareness. They give you insight of what can be done to your 
network by those among us who have cruel intentions. With the release of 
Windows Vista a lot has changed. Microsoft tightened up user rights, intro- 
duces User Account Control, limited services and code execution, improved 
IE security and revamped the firewall. What's left for the good old hacker? 



Technical vs. non technical aspects 

While a lot has happened in the security field 
during the last few years, the (ethical) hacker 
still knows some tricks that work perfectly. 
Simply fire up a sniffer and you will know what 
I mean. As with all in life, things can end up in 
the wrong hands and can - in this case - be 
used to compromise security in many ways. 

Despite of it all, a lot of companies still don't 
see security as a complete set of measures 
that have to be taken to get a more secure 
environment. Security is definitely not a layer 
that can be pasted in after all the (infrastruc- 
ture) implementation work is finished. "Oh 
yeah, we forgot that security thing! Just add 
some of it!" That won't simply work that way. 
Sometimes difficult but I think the only way is 
to create awareness, sometimes present the 
bare facts by - for example - giving a demo or 



to really show the vulnerabilities. The techni- 
cal issues are not the only ones that play an 
important role, the human factor is also of 
great importance. It is highly important to have 
a good policy and follow strict procedures. I 
stress the fact that I mentioned "more secure" 
earlier because totally secure and 100 percent 
protection is out of the question. It's always a 
matter of calculating risk and a balanced in- 
vestment in protecting your assets. 

Be aware of certain risks 

Why is it so easy to get access to a network? 
Well, because most of the times the proper 
countermeasures haven't been taken to limit 
the scope a potential attacker has. This goes 
from a security policy, knocking out rogue ac- 
cess points, implementing network 
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segmentation and limiting user capabilities on 
an ordinary workstation towards patched and 
properly managed firewalls. 

A system administrator doesn't have to be a 
hacker and he/she not even needs such skills 
to get proper network management in place. 
But being aware of the risks is a good thing. A 
basic understanding of what is possible on the 
network from an attacker's perspective and 
what can go wrong helps the IT (security) pro- 
fessional to better understand all of this and 
then be able to better secure the company 
network and protect the assets. 

The starting point: disclose information 

Ethical hackers can use many different meth- 
ods during a simulated attack or penetration 
test. Really a whole range of tools and attack 
methods that can be chosen from. This can 
start from the remote network by for example 
launching an attack over the Internet. This 
way the ethical hacker tries to break or find 
vulnerabilities in the outside defenses of the 
network, such as firewall, proxy or web serv- 
ers. One can be using remote dial-up possi- 
bilities (yes, they still exists) or the local net- 
work in order to launch the attack. 

By using social engineering, it is possible to 
check the integrity of the organization's em- 
ployees. Also, by gaining physical entry the 
attacker can attempt to compromise the or- 
ganization's physical premises. You never will 
know how easy it is to tailgate and just walk 
into the entrance with double protected guards 
on the front door. 

An attacker who gains physical access can 
plant viruses, Trojans, rootkits, install hard- 
ware keyloggers, copy information directly to a 
disk, install rogue access points or have ac- 
cess directly to systems in the target organiza- 
tion and network. He can also steal some un- 
protected hardware equipment with useful in- 
formation on it. 

The first step for any attacker is to get the in- 
formation needed to start an attack. Hacks in 
general can be initiated from outside but can 
also launched from the inside. As you will 
know most of the attacks (around 75 - 80 per- 
cent) come from inside of the company. 



These first steps can all be passive. A thor- 
ough search for information about the com- 
pany on Google can disclose a lot of basic in- 
formation. Information gathering is possible by 
querying the Whois database of, for example 
RIPE (www.ripe.net). The result is a range of 
IP addresses which can be the starting point 
for further steps in more active techniques 
used to get closer to the target. 

Post scanning techniques and Nmap 

It is very easy to start using the Nmap network 
mapping utility (insecure.org/nmap/) to scan 
networks and get crucial information about 
hosts on that network - what kind of hosts and 
how that host is configured, which ports are 
open or services are running. 

The power behind Nmap is the huge number 
of scanning techniques and options available. 
Some Nmap scans can hide your own ma- 
chine and in that way make it appear as if an- 
other computer is scanning the network, while 
other scans go directly for the targeted ma- 
chine. Nmap's primary interface works from 
the command line of Windows. The command 
line is very strong and a lot of options and pa- 
rameters can be added to do the work. There 
is a graphical utility available called NmapFE 
but in order to take advantage of the more ad- 
vanced functionality you should stick to the 
command line. 

With Nmap you can scan for TCP or UDP 
ports. TCP is a stateful or connection oriented 
protocol. Connection oriented means that, be- 
fore any data can be transmitted, a reliable 
connection must be obtained and acknowl- 
edged by both parties involved in the commu- 
nication. As you will know there is a specific 
set of control bits that can be set in a TCP 
packet also known as "flags". Flags can be: 

URG: Urgent Pointer 

ACK: Acknowledgement 

PSH: Push Function 

RST: Reset the connection 

SYN: Synchronize sequence numbers 

FIN: No more data from sender 

There are two scenarios where a three-way 
handshake will take place: First establish a 
connection (an active open) and second ter- 
minating a connection (an active close). 
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One problem with port scanning is that it is 
most of the times logged by the services lis- 
tening at the scanned ports. This is because 
they detect an incoming connection, but do 
not receive any data, thereby generating an 
error in the log. 

UDP is different as it is connection-less (fire 
and forget) traffic. UDP does not guarantee 
reliability or ordering in the way that TCP 
does. Datagrams may arrive out of order or go 
missing without notice. Missing the overhead 
of checking whether every packet actually ar- 
rived at the destination makes UDP faster and 
more efficient for applications or services that 
do not need guaranteed delivery such as 



messaging or streaming protocols. In order to 
scan for UDP ports with Nmap, you can gen- 
erally send empty UDP datagrams at the port. 
If the port is listening, the service will send 
back an error message or ignore the incoming 
datagram. If the port is closed, then the oper- 
ating system most of the times send back an 
"ICMP Port Unreachable" (type 3) message. 
This way the attacker can find open ports. 

Port scanning techniques can be differentiated 
with Nmap and this way you can use open 
scan, half-open scan, stealth scan and a lot of 
other options to "dive under the radar". Natu- 
rally, it is most preferable for the attacker to 
keep his actions undetected. 



SB Select Administrator: zrvi 



Interesting ports on 192.168.1.8: 

Not shown : 1685 closed ports 

PORT STATE SERVICE 

53/tcp open domain 

88/tcp open kerberos-sec 

135/tcp open nsrpc 

389/tcp open ldap 

445/tcp open mi crosoft-ds 

464/tcp open kpasswdS 

5 93/tcp open http-rpc-epmap 

636/tcp open 1 daps si 

1025/tcp open NFS-Dr-IIS 

1027/tcp open IIS 

3268/tcp open gl obal catLDAP 

3269/tcp open gl obal catLDAPss! 

Nmap finished: 1 IP address [1 host up) scanned in 2.496 seconds 
C:\Windaws\sy st em32>nmap -w 192.168.1.8 

Starting Nmap 4.20 [ http://insecure.org ) at 2007-06-22 16:20 Romance Daylight Time 
Initiating ARP Ping Scan at 16:20 
Scanning 192.168.1.8 [1 port] 

Completed ARP Ping Scan at 16:20, 0.45s elapsed (1 total hosts) 

Initiating Parallel DNS resolution of 1 host, at 16:20 

Completed Parallel DNS resolution of 1 host, at 16:20, 0.00s elapsed 

Initiating SYN Stealth Scan at 16:20 

Scanning 192.168.1.8 [1697 ports] 

Discovered open port 636ftcp on 192.168.1.8 

Discovered open por - : 3S9/:cp on 192.168.1.8 

Discovered open port 53/tcp on 192.168.1.8 

Discovered open port 445/tcp on 192.168.1.8 

Discovered open porljj268^tcp on 192.168.1.8 

Discovered open purt i55/Lcp on 192.168.1.8 

Discovered open port 88/tcp on 192.168.1.8 

Discovered open port ir>?7/ti-p on 192.168.1.8 

Discovered open port | 3269/fr :cp on 192.168.1.8 

Di s cover ed open port 4b4/^ti on 192 . 168 . 1 . 8 

Discovered open port 5 93/tcp on 192.168.1.8 

iDiscovered open port 1025/tcp on 192.168.1.8 

Completed SYN Stealth Scan at 16:20>Jl. 52s elapsed (1697 total ports) 
Host 192.168.1.8 appears to be up . . . g«tod. 
Interesting ports on 192.168.1.8: 
Not shown: 1685 closed norts 

PORT STATE SERVICE \ 

;53/tcp open domain 
88/tcp open kerberos-sec 
135/tcp open msrpc 
389/tcp open ldap 
445/tcp open mi crosoft-ds 
464/tcp open kpasswdS 
5 93/tcp open http-rpc-epmap 
636/tcp open 1 daps si 
1025/tcp open NFS-or-IIS 
1027/tcp open IIS 
3268/tcp open gl obal catLDAP 



3269/tcp open 
AC Address : A 



qlobal catLDAPss! 



Nmap finished: 1 IP address (1 host up) scanned in 2.25 6 seconds 

Raw packets sent: 1802 [79.286KB) | Rcvd: 1698 [78.104KB) 

: \Wi n daws \sy st em3 2> 



Scanned and open ports on a Windows Domain Controller 
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Different types of scanning 

Open scans make use of a full connection 
opened to the target system by a three-way 
TCP/IP handshake. The downside of this is 
that these scans are easy to detect on the 
network. This is because the whole tree-step 
handshake process will finish and most of the 
times will be logged by the contacted machine 
or IDS. However, the information gathered 
with an open scan is the best in determining 
the actual (port) state of the target machine. 

In the handshake process the client sends a 
SYN flag, which is replied by a SYN+ACK flag 
by the server and which in turn is acknowl- 
edged back with an ACK flag by the client to 
complete the connection. If a port is closed or 
'not listening' the server responds with a RST- 
ACK flag, to which the client responds with a 
RST flag, closing the connection. This allows 
the user to see if a particular port is open or 
closed. 

Another disadvantage of this scan technique 
to an attacker is that it is impossible to spoof 
his identity as spoofing would require sending 
a correct number sequence as well as setting 
the appropriate return flags to set up a data 
connection. Spoofing an IP-address in this 
case will never complete the process of the 
three way handshake and responses go to the 
spoofed IP-address. Besides that, most intru- 
sion detection systems and firewalls detect 
and log this scan, because the IP address is 
known and so the attacker's IP address can 
be logged, filtered or easily blocked. 

Half open scan 

One way to circumvent logging and detection 
this is to perform a half open scan in which a 
complete TCP connection is never estab- 
lished. Instead, as soon as the server ac- 
knowledges with a SYN-ACK response, the 
client tears down the connection by sending a 
RST. This way, the attacker detects an open 
port listening/running a service from the ACK 
response. Intelligent intrusion detection sys- 
tems and firewalls are also capable of detect- 
ing a scan like this and will prevent this from 
taking place. 



Stealth scanning 

Half open scans were considered stealth for a 
long time, but as intrusion detection systems 
evolved, these scans became easily logged. 
Now, there are other ways to stealthy scan a 
network. Scans where the packets are flagged 
with a particular set of flags other than SYN, 
using a combination of flags, with no flags set, 
with all flags set, just appearing as normal 
traffic, by using fragmented packets and like 
this tricking filtering devices. 

Discover systems 

Now we can scan a network for specific sys- 
tems. It's beyond the scope of this article to 
discuss this all but assume the attacker is on 
the internal network. A system presents most 
of the times a fingerprint of services running 
on that box by - for example - specific opened 
ports. This makes it in one or another way 
unique. Linux, Unix and Windows systems all 
have some unique characteristics. This makes 
it possible to get a picture of the workstations 
and servers on the network segment and the 
type of systems. A domain controller presents 
some specific ports open like the port for Ker- 
beros and LDAP traffic. Active Directory does 
its job by transmitting traffic over this type of 
ports and to have this opened up give a good 
indication of the possible role of the machine 
scanned. 

Once the attacker finds an interesting system, 
he can use several exploits in the field that 
can be used to compromise a system. For 
ethical reasons I'm not presenting the whole 
story here. However, there are many vulner- 
abilities, not only Microsoft Windows orien- 
tated but also on Linux, Firefox, specific rout- 
ers and applications. Just pretend I now want 
to get control over a specific machine in the 
network, either remote or physical. You gain 
that control. Next I'm presenting a very old 
trick that most of you will know from the past, 
this just as an example. The point is that it is 
still working on older or unpatched systems. 

The famous and notorious Null Session 

A so called "null session" occurs when you log 
on to a Windows system with no username or 
password at all. NetBIOS null sessions are 
vulnerabilities found in SMB, Server Message 
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Block protocol. SMB is a protocol for sharing named pipes between Windows computers, 
files, printers, and communications such as 



C :\Windaws\system32>net use \\192 . 168. 1. 24\i pc$ "" /user:" 1 ' 
The ccurariand completed successfully. 



Setting up a Null session 



One method of connecting a NetBIOS null 
session to a Windows system is to use the 
hidden Inter Process Communication share 
(IPC$). This hidden share is accessible using 
the net use command. The empty quotation 
marks ("") indicate that you want to connect 
with no username and no password. The syn- 
tax is as follows: 

C: \> net use \\192 . 168 . 1 . 71 \IPC$ "" /u: 



Once the net use command has been suc- 
cessfully completed, the hacker has a channel 



over which to use other hacking tools and 
techniques. Its relative easy to get a full dump 
of all usernames, groups, shares, permis- 
sions, policies, services and more using the 
Null user session possibility. 

At this moment there are some options to pro- 
tect against this kind of null sessions by set- 
ting a specific policy. In Windows (XP, Vista) 
there is a handful of policies that can be used 
and activated or are there by default to protect 
you against this type of attack. You can get 
some additional things in place to protect 
against this, I'll return on that later. 



Pi Console Root 
- £jl Local Computer Policy 

- Computer Configuration 
[ii "d) Software Settings 
S-O Windows Settings 

Scripts [Startup/Shutdown) 
Security Settings 
EE: Account Policies 
& (j§ Local Policies 
[jl"C§ Audit Policy 
FF1-P3 User Rights Assignrner 
< j> --C& Security Options 
:ti Public Key Policies 
B-Q] Software Restriction Policii s 
El '§ IP Security Policies on Loc, 
£!■ -d Administrative Templates 
EE] - C] Windows Components 
EE1-CJ System 
EE -Q Network 
- r~l Printers 
+ User Configuration 



Com 



Policy 



Security Setting 



Ijio] Interactive logon: Require Domain Controller authentication to unlock w. . . Disabled 

^Interactive logon: Smart card removal behavior No Action 

[So] Microsoft network client: Digitally sign communications (always) Disabled 

[So] Microsoft network client: Digitally sign communications (if server agrees) Enabled 

Kj]v crosoft network client: Send unencrypted password to third -party SM. . . Disabled 

[So] Microsoft network server: Amount of idle time required before suspendi. . , 15 minutes 

!^] Microsoft network server: Digitally sign communications (always) Disabled 

^Microsoft netA'ork server: Digitally sign communications (if client agrees) Disabled 

[fiji]M i sr s f s ft n a tw a rk f a rv a r : P i f ia nn a it d ia nt? wh a n laga n h eu rr a w pi r a E na bled 



1- 



1 Network access: Allow anonymous SID/Name translation 



Disabled 



i| Network access: Do not allow anonymous enumeration of SAM accounts Enabled 



[Bo] Network access: Do not allow anonymous enumeration of SAM account. , . Disabled 
[Bo] Network access: Do not allow storage of credentials or .NET Passports . . . Disabled 



|K!>]Net7 
l^jNefA' 
H^Net-A 
[fi^NetA 
[KolNetA 



ork access: Let Everyone permissions apply to anonymous users Disables 

ork access: Named Pipes that can be accessed anonymously COMNAP.COMNOD, . 

ork access: Remotely accessible registry paths System \CurrentCon. 

ork access: Shares that can be accessed anonymously COMCFG.DFS5 

ork access: Sharing and security model for local accounts Guest only - local us. 

ork security: Do not store LAN Manager hash value on next passw. . . Disabled 

Policies in Windows 



J| 



Take over accounts 

If an attacker can get on a Windows computer 
(either a server or client computer), it is possi- 
ble to choose from a wide variety of tools to 
get access to the password database (NTLM 
hashes) on that machine. 



After that, the attacker can start a brute force 
attack on the hashes and before you know it, 
the worst has happened. More accounts will 
be compromised and can be used to further 
elevate privileges, empty logs and create 
backdoors. 
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On the Windows computer it's possible to use 
the gsecdump tool. This tool dumps all the 
hashes from the accounts on that machine. 
Possibilities from the command prompt are: 

-h [ --help ] show help 
-a [ --dump_all ] dump all secrets 
-1 [ --dump_lsa ] dump lsa secrets 
-w [ --dump_wireless ] dump Microsoft 
wireless connections 

-u [ --dump_usedhashes ] dump hashes from 
active logon sessions 

-s [ --dump_hashes ] dump hashes from 
SAM/ AD 

However, this tool needs to be running under 
a SYSTEM context on that computer while the 
logged on user will not be running in that con- 



text. Services however will be running under 
the credentials of SYSTEM. The solution is to 
create a service that is running the command 
line shell in SYSTEM context. To do this; 

C : \> sc create shellcmdline binpath= 
"cmd /K start" type= own type= interact 
C: \> sc start shellcmdline 
C: \> sc delete shellcmdline 

Now the command line window is running un- 
der the right credentials. Even under Vista this 
can be done. Now the gsecdump tool can be 
started and get some data. In the next 
screenshot you can find the result of such an 
action. 



C:\WI N DOWS\system3 2\cmd.exe 



C : \gs e c dump >gs e c dump 

gsecdump U0.6 by Johannes Gumbel < Johannes . gumbel(?truesec .se> 
usage: gsecdump [options] 



opt ions : 

-h [ —help ] 

—a [ — dump_all ] 

-1 [ — dump_lsa ] 

— w [ — dump_w ire less ] 

— u [ — dump_usedhashes 

-s [ — dump_hashes ] 



show help 

dump all secrets 

dump lsa secrets 

dump microsoft wireless connections 
dump hashes from active logon sessions 
dump hashes from SAM/AD 



|U : Ngs e c clump ,?gs e c clump — s 

Admin istrator(currenO : 500:82 1981be0ea3e551c2265b23734e0dac :0aad3e6a4d627a4dbaf e 
bll£SS0c:b2e8jJJ ] 



Guest<currenO :501 :aad3b435b51404eeaad3b435b51404ee :31d6cf e0dl6ae931b73c59d7e0c0 
B9c0: : : 

HelpAssistant (current >:1000:f0c58a5f3701dad991185f6b9b78906f :6df 73d3c74c2db62d42 
ac0b4521c4fbf : : : 

SUPPORT _388945a0<current > : 1002 : aad3b435b51404eeaad3b435b51404ee : 4ccecae791c7cda7 
468a34b488ffca75: : : 

Jser001 (current): 1003 :821981be0ea3e551c2265b23734e0dac :0aad3e6a4d627a4dbaf e24df 5 
S0cb2e8: : : 



A gsecdump result 



The next thing to do is to attack the hashes by 
using a good password crack utility. Another 
possibility would be to fire up a sniffer and to 
get the hashes sniffed off the network. Since 
most of us don't use SMB signing the SMB 
traffic is simple to intercept. 

Counter measures 

How can you take some precautions without 
having to spend that much of money on spe- 
cial hardware, software and consultants? 



First and foremost, get a decent security pol- 
icy and baseline in place, hand out proper 
procedures and manage and control them, let 
users sign a non-disclosure agreement or a 
disclaimer document. If you don't have it, all 
the other will be a waste of time. Then think 
about segmenting your network. Servers on a 
server segment and clients separately on an- 
other part. Even in the DMZ you can use 
segmentation. In case one server is attacked 
and compromised, the other isn't necessarily 
affected. Create some strict paths between 
these segments and ensure monitoring is in 
place. 
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Implement server isolation. In such a sce- 
nario, specific servers or applications are con- 
figured to require IPSec policies to accept 
authenticated communications from other 
computers. For example, you might configure 
the domain controller to accept connections 
only from another domain controller in the Ac- 
tive Directory domain for certain services. Be- 
sides that, you can also implement domain 
isolation in a Windows environment. To isolate 
a domain, you can use Active Directory and 
the domain membership to ensure that only 
domain-member computers accept authenti- 
cated and secured communications from other 
domain-member computers. The isolated 
network holds only computers that are part of 
this domain. 

Protect your workstations (laptops) by using 
encryption and lower the cache for logged on 
users (be able to log on even the domain is 
not there). On laptops, this setting can proba- 
bly be set to 1 . Get good password policies 
with more strong passwords or better and use 
passphrases or get the smart card in with pin 
code. 

Next, harden servers as much as possible. 
Microsoft understands this problem and in 
Longhorn server or Server 2008 the started 
services will be minimized. You can download 



some pre-defined (policy) templates to imple- 
ment this for Windows Servers. 
When there is no need to get Internet access 
from workstations in your environment, just 
don't provide it Most malware and rootkits 
come in by simply clicking or browsing on a 
website. Block unwanted devices using device 
control on your workstations so you have 
much more control over this kind of behavior. 

Use logging to actively monitor servers, clients 
and users and care about the central and safe 
storage of this all so logs can't be destroyed 
by non-authoritative persons or personnel. 
Server 2008 and Windows Vista do have the 
option to write or upload log data to a central 
server to analyze this when needed. Use en- 
cryption techniques to protect data and get 
decent patch management in place. 

Then, use host firewalls and IPSec for the 
creation of tunnels or use only the authentica- 
tion part of IPSec to let systems strong 
authentication. 

I will go in a little more detail on the Vista fire- 
wall in combination with IPSec and the possi- 
ble solutions it can offer for you. All the attack 
vectors I mentioned earlier in this article can 
be broken down by implementing one or more 
of the things I just mentioned. 



General 



Programs and Services 



Users and Computers Protocols and Ports | Scope | Advanced" 



Ajthorized computers 
Z\ Only allow connections from these computers: 



.Authorized users 

l~l Only allow connections from these users: 



Learn more about using authorization 



Add. 



Remove 



Add. 



Remove 



OK 



Cancel 



Apply 



Vista firewall: allow only specific connections 
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Using Host based firewall and IPSec 

The Windows Vista Firewall comes enabled 
for both inbound and outbound connections. 
The default policy is to block most inbound 
connections and allow outbound connections. 
You can use it with the Advanced Security in- 
terface to configure specific custom made 
rules for both inbound and outbound connec- 
tions. 

You can configure different rules and settings 
for the following firewall profiles: 

• domain. Used when a computer is con- 
nected to an Active Directory domain of which 
the computer is a member. 

• private. Used when a computer is connected 
to a private network behind a private gateway 
or router. 

• public. Used when a computer is connected 
directly to the Internet or any network that has 
not been selected as Private or Domain. 

When a user connects to a network that is not 
part of the domain, Vista pulls up that wall and 
asks the user to identify the network as either 
Public or Private. In combination with IPSec 
authentication, you can configure rules for 
specific computers so that connections from 
those computers bypass other rules set up in 
the Windows Firewall. This allows you to block 
a particular type of traffic, but allow authenti- 
cated computers to bypass this. 

The great thing about this is that a certain port 
is not even open if the criteria are not met. So 
if a non-authorized computer is trying to con- 
tact, the port is not available. This authentica- 
tion goes all the way - specific computer, us- 
ers, membership of Active Directory groups 
and so on. If you do have a PKI in place, it's 
possible to combine this with the presentation 
of a client computer certificate and a user cer- 
tificate that is stored on a smart card. In that 
way a user can be restricted to log on from a 
specific network segment, computer or a 
combination. 



You can even restrict an administrator to do 
some work from specific computers or net- 
work segments by implementing the appropri- 
ate rules. If an administrator is trying to log on 
from home, this can be made impossible be- 
cause of certain rules. As you can see, very 
granular and easy to manage because you 
will already be familiar with other management 
tasks within Active Directory. 

With Windows Vista, the firewall can allow 
more granular authenticated bypass rules, al- 
lowing the administrator to specify which ports 
or programs can have access, as well as 
which computer or group of computers can 
have access. 

Windows Service Hardening helps prevent 
critical Windows services from being used for 
potentially malicious activity in the file system, 
registry or network. If the firewall detects spe- 
cific behavior as defined by the network rules, 
the firewall will block its traffic at once. If a 
service is exploited and gets to run malicious 
code, it is prevented from sending or receiving 
traffic over non-authorized network ports. This 
reduces the effect the malicious code has on 
the system itself and spreading of that to other 
hosts in the network greatly reducing the at- 
tack vector. 

I believe there are several possibilities within 
Windows XP, Server 2003, Vista and the not 
yet released Server 2008 to act against the 
more traditional attacks. With a good plan and 
up to date technology, there is a lot that can 
be done to make it much harder for the de- 
termined attacker to gain access and control 
over your environment. 

Malware, rootkits and other types of sophisti- 
cated technology play an important part in our 
networked and more open world today than 
ever before. 70 percent of Windows comput- 
ers today are infected by some kind of mal- 
ware. It is a new and different threat and not 
stopped by traditional solutions. We certainly 
need to create awareness in our end-users to 
make sure this doesn't happen as often. 



Rob P. Faber (CISSP, CEH, MCSE) is an infrastructure architect, consultant and senior engineer. He is cur- 
rently working for an insurance company (22.000 client computers) in The Netherlands. His main working area 
is (Windows Platform) Security, Active Directory and Identity Management. You can reach him at 
rob.faber@icranium.com or find him on the Linkedln network. 
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Are you PCI DSS compliant? 




Introducing the GFI PCI Suite for event log management, network vulnerability 
scanning, patch management and network auditing 



Achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) should be high on the agenda of 
companies which store, transmit or process credit card data, even more so now that they can face fines of up to S 500,000 if 
they do not become PCI DSS compliant! 



GFi PCI Suite 



GH Software offers the GFI PCI Suite to help such organizations to become compliant with the majority of the automated 
processes required by the PCI DSS, This package includes GFI Events Manager for event log management and GFI LANguard 
Network Security Scanner (N.S.S.) for network vulnerability scanning,, patch management and network auditing. 

iEventsManager Complete event log management solution 

GFI EventsManager automates event log management enabling administrators to keep track of events generated network-wide 
from all devices that use Windows event logs, W3C, and Syslog. Event log management is time consuming unless administrators 
have a solution such as GFI EventsManager that categorizes events by severity and issues alerts on critical events. It provides 
additional benefits in event auditing and makes it easier to browse events and conduct forensic analysis. As data logging is a 
key PCI DSS requirement, GFI EventsManager is the tool you need to become compliant. 

i LANguard N.s.s. Complete vulnerability management solution 

GFI LANguard N.S.S. is a network vulnerability management solution that scans your network IP by I P, identifies all possible 
security threats, fixes vulnerabilities and manages missing patches. To achieve PCI DSS compliance organizations must maintain 
secure systems and applications as well as ensure that their network is scanned for vulnerabilities that may compromise a 
network's security, GFI LANguard N.S.S, provides businesses with the tools they need to gauge the effectiveness of their PCI 
DSS compliance efforts, 

To learn more how GFI can help you become PCI DSS compliant visit http://www.rjf i.eom/pci/ 



GFi 



NETWORK JICUtITT 
CON HUT SECURITY 
MESSMIHG 



tel: +1 (91 9) 379 3397 | fax: +1 (919} 379 3402 | email: sales@gf iusa.com | url: www.gfi.CDm/pci/ 



Taking ownership of^the Trusted Platform Module 

chip on Intel Macs 

By Jonathan Austin 




I have been following the works of Trusted Computing Group (TCG) since 
their inception. The body, successor to the Trusted Computing Platform Alli- 
ance started by such giants as Hewlett-Packard, IBM, Intel and Microsoft, has 
a goal to develop vendor-neutral standard specifications for trusted comput- 
ing. TCG is quite present on all the major information security conferences 
around the globe, so I had an opportunity to attend to some of their lectures 
and check out the actual trusted platforms (hardware devices with TPM 
chips) in test environments. 



What is a TPM chip 

The TPM is a microcontroller that stores keys, 
passwords and digital certificates. It's typically 
affixed to the motherboard of a PC. The na- 
ture of this silicon ensures that the information 
stored there is made more secure from exter- 
nal software attack and physical theft. Secu- 
rity processes, such as digital signature and 
key exchange, are protected through the se- 
cure TCG subsystem. 

Access to data and secrets in a platform could 
be denied if the boot sequence is not as ex- 
pected. Critical applications and capabilities 
such as secure email, secure web access and 
local protection of data are thereby made 
much more secure. TPM capabilities also can 
be integrated into other components in a sys- 
tem. 



Apple and TPM 

If you bought your Mac between May and Oc- 
tober of 2006, you most probably have a TPM 
chip. The chip in question was Infineon TPM, 
module SLB 9635 TT 1 . It looks like Apple had 
plans to use the trusted platform possibilities, 
but while the chip was present, Apple did not 
use it at all. Therefore, computers released 
after October 2006 do not contain an onboard 
Infineon TPM. As Trusted Computing Group is 
seeing an upscale adoption rate of their tech- 
nology, TPM will most probably be back inside 
Apple hardware in the future. 

Benefits for the users 

Amit Singh, author of the "Mac OS X Inter- 
nals: A Systems Approach" wrote a whole 
chapter about trusted computing for 
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Mac OS X. Besides this, he released Mac 
driver and daemon that will be used later in 
this article. 

While the TPM chip is not used by any of the 
Apple software products, that doesn't mean 
that developers cannot use it for the specific 
purposes of their applications. While it is not 
the best idea to target just the computers that 
have TPM chips, this "perfect" customizations 
can be used in some organizations for in- 
stance running just the TPM-enabled Macs. 
Singh notes that developers could use the 
TPM from within their own applications to: 

• Create private/public key pairs such that the 
private key never leaves the TPM in clear 
form and because of it the private key cannot 
be stolen. 



• Sign data without the private key ever leav- 
ing the chip. 

• Encrypt data such that it can only be de- 
crypted on the physical machine it was en- 
crypted on. 

• In protocols such as SSL that use key ex- 
change, employ the TPM for a much better 
guarantee regarding the identities involved. 

Testing the existence of TPM chip 

For the purpose of testing your computer for 
existence of the TPM chip we will need to use 
a command line utility ioreg which displays 
the I/O Kit registry. Starting the utility without 
any particular switches, we can just filter the 
output while grepping for TPM. The result 
shows that TPM is present on my MacBook 
notebook: 



O O 



Terminal 



cradle :/tmp jonathan$ ioreg I grep TPM 

I +-o TPM <class IOACPIPLatformDevice, registered, matche 
d, active, busy 0, $ 
cradle :/tmp Jonathan 



Tools of the trade 

For the purpose of mangling with the TPM 
chip, we need to use the following: 

TPM Setup 

Mac application released in mid June 2007 
that can be used to setup and take ownership 
of your TPM. The software package is pro- 
vided by the fine folks at Comet Way, which 
recently noted their plans to release a simple 
file encryption utility for your TPM Mac. 

Important: TPM Setup is an Intel binary, there- 
for can be used just on Intel Macs. 



GPLv2, so the guys at Comet Way are redis- 
tributing them within the TPM Setup package. 
Bottom line, all the applications you will need 
are located in the same archive linked in the 
previous paragraph. 

There are is a disclaimers the developers 
provided with the TPM Setup application. The 
software is provided as a demo and should be 
used on your own risk. From the technical 
perspective the only troublesome thing you 
can create is to setup and then forget the 
TPM password which could be a bad thing. 
You will also need to be at least a bit familiar 
with the UNIX Shell, but following the graphics 
from this article should be just enough. 



TPM Setup can be downloaded from: 

1) Comet Way: darkside.cometway.com 

2) Help Net Security: 
net-security.org/software. php?id=675 

OSXBookTPM.kext and tcsd 

These are Amit Singh's kernel extension and 
the daemon needed for the whole TPM expe- 
rience. These files were released under 



Let's take the ownership of the TPM chip 

As you could see from the first screenshot, 
TPM is enabled and activated. The only thing 
still needed is to take the ownership of it. This 
means that we need to setup two passwords: 
one for the TPM chip itself and the other one 
for the Storage Root Key (SRK). 
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TPM Setup can also reset a TPM by clearing 
it, enabling and activating it, and allowing the 
user to take ownership of the TPM. In this 
case two reboots will be required, once after 
clearing the TPM, and once again after ena- 
bling and activating it. 

In our case of a "clean TPM", we won't need 
any reboots and the only interaction is enter- 



ing two sets of passwords (can be identical). 
Before this, we need to use the Terminal and 
start the Amit Singh's tcsd daemon and load 
the TPM kernel extension: 

As mentioned earlier, the support directory of 
the TPM Setup contains all the needed 
scripts, kernel extension and the daemon. 
Let's start the daemon with the tpmlnit script: 



© © © Terminal 



crodlt;/tn0 jrotftorrt ,/t**Ir>lt 

harnimg: Improper use or the sixfo com**} ccvld lead to <3oto less 
or deletion of ieportflnt iyit<* mss, pinw otoAlo-chteK your 
typing ming su#* Type "*n sy»- for i«fofhfl6ten f 

To proceed, enter your posamoi-d , or type ctrl-C to otoort. 

Pes sword: 

KetttLood: extension /Uteir ± / j Cr< / lp* Tei t/iQSXBooK.T FH . Ken t appears to be vaUd 

Km Loads Loading extension /Us^is^ierfltrfln/tpirtTesC/DSJiBoaKTPll.KjeKt. 

Km Load: /Users/ joriStt^n/t|M Test /rJ5I&M*.TPl1. Km Loaded successful ly 

Km. Load: Leading personalities nomed: 

kaxtlood: Infineon SU 9635 TT 1.2 

Km Load: sending 1 personality to the Kernel 

Km Load: eatcning started far /Users/ jon e U a r/tpeTresVOSffiu^TPn 1 .hexi 

ItSD tcsd_conf .c:5<7 Config. file /jsr/<Dcal/et*v l tcsd.cont not found. 

1C5D tcsd_conf .a:^9 Using default conf iqurcrticn settings. 

1C50 tcsd_conf .c:649 resetting node of /us r/ L cca I / r/ 1 i b/tf« tor 81777 

trousers 6.2.6 (with TPM 1.2 MML patch by I UK) 

Hoc CS- >! support by https//osMlwck..crji» 

*+* AT T ENT [OH *** 

Experimental software (a L lews physical presence assertion in all rwi leve Is') 
TCSD up orK) running 



The script needs administrative privileges so 
the appropriate password needs to be en- 
tered. As you can see from the screenshot, 
kernel extension is successfully loaded and 
the daemon is started. Do leave this terminal 
window open and if you want to kill the dae- 
mon hit the Ctrl+C key combination. 



Now when the daemon is started, we can 
open the TPM Setup application and take the 
ownership of the TPM chip. If because of 
some reason you didn't start the daemon or 
the start was unsuccessful, the following win- 
dow will say that you should start the process 
again. In our case, everything is just fine: 



iMrcducbon 

Q gw Dm TPM 



Introduction 



Wsksoi-w loane Coma; Way TPM Sstua. 

VOLf TTM is Enabled and Acsvaied. and unowned. 

t seems- dial yaur TPM. is unicuOiad. sjhJ only requires owner pas-t*oidi 
Yoi/lloeaBsKi alfip -iha nrsi (#o TPM Seiup suaes renewing me TFM'and 
■Enabins. Cie TPM'.ai^l NQ-'ewois *■ i be required. 

Clk* "ConGnua* m ia*e {wrarstiip ol you* 1PM 



( Qweel ) ( Continue ) 
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Time to enter the user and SRK passwords: 



o n 



TPM Sldup 



Take Ownership of the TPM 



roducbon 
2 OW rtw mi 

2 FrtJbU- Jkni! KtfclM 

TH*Owi1*rillipi 

□ FlntihmJ 



Weksorie » sha cotim Wa* TPH Sunup. 

voi, ■ tpm has bean enabled New! pjull raV* ownership olDie TPH niih 
TWO psit*or<Js-. a password lor me TPH ia*n. and artpihar password lor 
*ia 5wraae RwKKtij [SflKj. 

AfflftOOlWILL IfOT be required. 



Final phase - TPM is operational, activated, enabled and owned: 

r Q6H TPMSttup 



TPM Operational and Heady 



Introduction 

2 PHI "i* ma 

2 Tito OwfWrjWp 



yo!, ■ t^m it •sparans-ii ;aetiva»3 and owrnwrj. 
A retool 15 HOT requirsd. 



Conclusion 

The whole procedure covered throughout this 
article is not at all "mainstream", so TPM will 
currently be of use to an extremely limited 
number of users. Soon Comet Way will re- 
lease the mentioned file encryption utility and 
there is always a need for enhancing the state 
of security on your Mac. 
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Never has the need to prove compliance with external regulations and inter- 
nal policies been more acute than it is today. The likely consequences of fail- 
ing to prove that your organization is compliant and that you are strictly ad- 
hering to your own policies can be significant, up to and including possible 
criminal penalties for top corporate executives. And the buck doesn't stop 
there. Anyone who is familiar with the Enron story may also remember that it 
resulted in the once grand Arthur Andersen being brought to its knees, illus- 
trating the thoroughness that external auditors will apply to ensure that they 
are not implicated. 



Organizations today must prove beyond a 
shadow of a doubt that not only do they have 
a security program in place, but that it is en- 
forced and is consistent across your organiza- 
tion. Information technology departments play 
a key role in this endeavor. Shortcomings in IT 
policies can have potentially serious conse- 
quences. 

Research by Gartner has shown that 65 per- 
cent of all successful computer attacks take 
advantage of badly configured systems such 
as use of out-of-the-box default conditions, 
configuration of user accounts that have privi- 
leged rights, simple configuration errors or un- 



scrupulous system administrators. If that's not 
bad enough another in a recently published 
survey conducted by the U.S. Secret Service 
together with Carnegie Mellon University's 
Software Engineering Institute CERT Program 
found that eighty-six percent of people who 
carried out insider sabotage held technical 
positions and ninety percent had system ad- 
ministrator or privileged system access - 
which meant they held the passwords to over- 
ride the system and access the network. 

No matter how secure a system may be, if the 
controls to access that system are not ade- 
quate, eventually this will be exposed. 
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A recent Audit Commission report in the UK 
highlighted that problems are frequently a re- 
sult of poor access controls that inevitably in- 
crease the risk of accidental damage and de- 
liberate abuse. Instances such as the failure 
of management to escort disgruntled employ- 
ees from buildings and remove all IT system 
access facilities have resulted in such staff 
having the time and opportunity to vent their 
anger on the organization and cause major 
disruptions. 

Interestingly, the report found the main rea- 
sons for breaches were ineffective policies, 
and the failure to enforce policies. 



There are also many misconceptions about 
regulatory compliance for outsourcing. For 
example, if your company has outsourced 
management of its IT infrastructure, the re- 
sponsibility of compliance still rests with your 
company, not its outsourcing partner. Addi- 
tionally, companies providing outsourcing 
services need to ensure that they are not im- 
plicated in the event that issues arise. In other 
words, select a good outsource partner and 
you could be a winner. Select a bad one and 
you could be out of business. It is not the 
brand name that should convince you but the 
quality and experience of the staff that will be 
responsible for your highly sensitive data. 



THE IMPORTANCE OF AUTOMATION IN TRACKING AND REPORTING IT 
CONTROLS CANNOT BE OVERSTATED. 



Compliance and regulatory requirements 

Being compliant has become a major focal 
point for most large organizations, but this for 
all practical purposes should be a goal for risk 
management and security in every organiza- 
tion. Regardless of external factors, those re- 
sponsible for the integrity of the IT environ- 
ment should be actively involved in ensuring 
that permanent staff, business partners and 
contracted staff, who may have privileged 
user rights, comply with company policies 
when it comes to handling company assets. 

For those organizations that also need to 
meet public standards, the level of media ex- 
posure that has resulted from high-profile 
cases in the United States means that most 
people in the IT security arena are familiar 
with Sarbanes-Oxley, Basel II, 21 CFR Part 
11, PCI, Gramm-Leach-Bliley and HIPAA. 

However, it is not simply these much publi- 
cized standards. Today most countries have 
regulations in place that are very similar, such 
as France's "Loi de Securite Financiere", 
Germany's "KonTraG", the UK's "Combined 
Code" and the Netherlands "Tabaksblat 
Code", which require a similar level of due 
diligence when it comes to IT security prac- 
tices, although there are variations related to 
the compulsory nature in different countries. 

Additionally, many organizations are adopting 
best practices by implementing standards 



such as ITIL, and ISO 27001 in order to en- 
sure consistency across their enterprises. 
From an IT perspective, what all of these 
regulations have in common is that they re- 
quire the strengthening of internal controls re- 
lated to the use of IT systems. 

The controls that are specified in most stan- 
dards are very similar. All deal with the pri- 
mary threats that exist in the IT environment, 
focusing on the misuse of privileged accounts, 
mistakes by privileged users and malfunctions 
within the IT infrastructure itself, particularly 
when it comes to the security of highly sensi- 
tive information. The IT security group needs 
to be able to prove which privileged user ac- 
cessed what system, demonstrate that confi- 
dential systems and data could not have been 
accessed by those who had no rights and that 
those who have the right are tracked. 

The importance of automation in tracking and 
reporting IT controls cannot be overstated. 
These tools are important in providing timely 
alerts by continuously collecting and alerting 
on events for any critical component within the 
IT infrastructure. Additionally, they are an im- 
portant factor in reducing the costs associated 
with collating the information. For any organi- 
zation that must comply with these regula- 
tions, it is mandatory that the IT departments 
comply, and that the IT security department in 
an organization must be able to demonstrate 
to the rest of the organization, and 
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to those external parties that monitor the ac- 
tivities, that the effectiveness of IT controls are 
adequate. 

Anyone who has been faced with an audit, ei- 
ther internal or external, can attest to the re- 
source demands that are placed on the IT or- 
ganization. This can be especially challenging 
when an organization is present in different 
geographical locations. The effectiveness of 
the controls and reporting tools within the IT 
security departments are critical both to 
achieving a successful audit, and limiting the 
amount of resource that is required to deliver 
the necessary information. 

Ultimately, you are answering the questions, 
do you have the important controls in place, 
have you implemented effective change man- 
agement and if your access controls are effec- 
tive - and of course can you prove it. 

A major challenge facing organizations today 
is that regulations do not make allowances for 
unintentional errors, and human error is one of 
the biggest risks faced by companies, espe- 
cially as pressure to reduce costs means that 
more and more tasks are being carried out by 
less staff. Today almost all risk results from 



internal threats and because many organiza- 
tions focus their investment in protecting 
against the external threat, they are often not 
adequately prepared to protect the internal 
risks. Today any organization that has an IT 
infrastructure relies heavily on databases, and 
database security practices, including every- 
one and every process that accesses the da- 
tabase, will always be scrutinized very closely 
by auditors. 

So what should you do? 

Whether or not you are compelled to apply 
policies to comply with the various standards, 
you should familiarize yourself with what is 
required. My recommendation would be to 
start by taking the time to study the ISO 27001 
standard to gain an overall view of what is re- 
quired to have an effective information secu- 
rity policy and in conjunction look at the re- 
quirements of the Payment Card Industry 
(PCI) standard. Although the PCI standard is 
intended for organizations that deal with credit 
card transactions it offers a very practical 
guide to what should be done on a practical 
level in many areas, and will ensure that you 
have taken adequate precautions to protect 
yourself and your business. 



Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for de- 
veloping the Cyber-Ark business in Europe and Africa. 

Before joining Cyber-Ark, MacLeod served as Europe, Middle East and Africa Business Development Director 
for Netilla Networks, and was responsible for leading some of the early SSL VPN projects in Europe. MacLeod 
has also served as an independent consultant to corporate and government clients on IT security strategy for 
various European market segments, including the European Commission. 
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Black Hat USA 2007 Briefings & Training 

28 July-2 August 2007 - Las Vegas, USA 
http://www.blackhat.com/ 

HITBSecConf2007 

3 September-6 September 2007 - Kuala Lumpur, Malaysia 
http://conference.hitb.org/hitbsecconf2007kl/ 



Security '07 - 16th USENIX Security Symposium 
6 August-1 0 August 2007 - Boston, USA 
http://www.usenix.org/events/sec07/ 

Chaos Communication Camp 2007 
8 August-1 2 August 2007 - Finowfurt, Germany 
http://events.ccc.de/camp/2007/Home 

InfowarCon 2007 
9 September-21 September 2007 - Bethesda, USA 
http ://www. i nf owarcon .com/ 

RSA Conference Europe 2007 
22 October-24 October 2007 - London, United Kingdom 
http://www.rsaconference.com/2007/Europe 

3rd Annual Techno Forensics Conference 
29 October-31 October 2007 - Gaithersburg, USA 
http://www.Techno2007.com/ 
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Best practices dictate that we must protect sensitive data at the point of cap- 
ture, as it's transferred over the network (including internal networks) and 
when it is at rest. Protecting data only sometimes - such as sending sensitive 
information over wireless devices over the Internet or within your corporate 
network as clear text - defeats the point of encrypting information in the da- 
tabase. 



It's far too easy for information to be inter- 
cepted in its travels so the sooner the encryp- 
tion of data occurs, the more secure the envi- 
ronment will be. A comprehensive encryption 
solution doesn't complicate authorized access 
to the protected information - decryption of the 
data can occur at any point throughout the 
data flow wherever there is a need for access. 

Decryption can usually be done in an 
application-transparent way with minimum im- 
pact to the operational environment. Due to 
distributed business logic in application and 
database environments, organizations must 
be able to encrypt and decrypt data at differ- 
ent points in the network and at different sys- 
tem layers, including the database layer. 

Encryption performed by the database man- 
agement system can protect data at rest, but 
more security oriented corporations will also 



require protection for data while it's moving 
between applications, databases and data 
stores. One option for accomplishing this pro- 
tection is to selectively parse data after the 
secure communication is terminated and en- 
crypt sensitive data elements at a very granu- 
lar level (usernames, passwords, and so on). 
Application-layer encryption and mature 
database-layer encryption solutions allow en- 
terprises to selectively encrypt granular data 
into a format that can easily be passed be- 
tween applications and databases without 
changing the data. 

Key Management is often overlooked 

One of the essential components of encryp- 
tion that is often overlooked is key manage- 
ment - the way cryptographic keys are gener- 
ated and managed throughout their life. 
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Since cryptography is based on keys which 
encrypt and decrypt data, your database pro- 
tection solution is only as good as the protec- 
tion of those keys. Security depends on sev- 
eral factors including where the keys are 
stored and who has access to them. When 
evaluating a data privacy solution, it is essen- 
tial to include the ability to securely generate 
and manage keys. This can be achieved by 
centralizing all key management tasks on a 
single platform, and effectively automating 
administrative key management tasks, provid- 
ing both operational efficiency and reduced 
management costs. 

Data privacy solutions should also include an 
automated and secure mechanism for key ro- 



tation, replication, and backup. The difficulty of 
key distribution, storage, and disposal has lim- 
ited the wide-scale usability of many crypto- 
graphic products in the past. Automated key 
distribution is challenging because it is difficult 
to keep the keys secure while they are distrib- 
uted, but this approach is finally becoming se- 
cure and more widely used. Standards for 
key-management have been developed by the 
government and by organizations such as 
ISO, ANSI, and the American Banking Organi- 
zation (ABA). The key management process 
should be based on a policy. This article will 
exemplify different elements of a suggested 
policy for a Key Management System used for 
managing the encryption keys that protect se- 
cret and confidential data in an organization. 



A major problem with encryption as a security method is that the 
distribution, storage, and eventual disposal of keys introduce 
an expensive and onerous administrative burden. 



Issues with native point solutions 

A major problem with encryption as a security 
method is that the distribution, storage, and 
eventual disposal of keys introduce an expen- 
sive and onerous administrative burden. His- 
torically, cryptographic keys were delivered by 
escorted couriers carrying keys or key books 
in secure boxes. 

An organization must follow strictly enforced 
procedures for protecting and monitoring the 
use of the key, and there must be a way to 
change keys. Even with all of these restric- 
tions, there is always a chance that the key 
will be compromised or stolen. Even if there 
are standards developed for key-management 
it is still the most difficult part of an encryption 
solution. This is one of the greater challenges 
to overcome when you decide to create your 
own solution based on encryption toolkits from 
database vendors and security vendors. 
These toolkits provide the basic functionality 
for encrypting and decrypting information but 
typically do not provide a secure key- 
management system. 

Many companies have tried to develop their 
own encryption functionality, but few have 
succeeded in creating a system that performs 



not only by doing the obvious encryption, but 
doing so in a secure and reliable manner that 
does not prohibit you from keeping your sys- 
tems operational. A mature data protection 
system should be based on a sophisticated 
key management system that is transparent, 
automated, secure and reliable for the envi- 
ronments where it operates. 

A distributed approach with a central point 
of control 

A mature data protection system should pro- 
vide a central point of control for data protec- 
tion systems at the application, database and 
file levels. The encryption solution has a com- 
bined hardware and software key manage- 
ment architecture which combine the benefits 
of each technology. This will address the cen- 
tral security requirements while providing the 
flexibility to allow security professionals to de- 
ploy encryption at the appropriate place in 
their infrastructure. It provides advanced secu- 
rity and usability smooth and efficient imple- 
mentation into today's complex data storage 
infrastructures. 

If your human resources department locks 
employee records in filing cabinets where one 
person is ultimately responsible for the keys, 
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shouldn't similar precautions be taken to pro- 
tect this same information in its electronic for- 
mat? One easy solution is to store the keys in 
a restricted database table or file. But, all ad- 
ministrators with privileged access could also 
access these keys, decrypt any data within 
your system, and then cover their tracks. Your 
database security in such a situation is based 
not on industry best practice, but on trusting 
your employees. When securing the sensitive 
data within your organization trust is not a pol- 
icy. The key custodian should be a role in the 
IT organization. 

The key custodian 

The key custodian is responsible for manag- 
ing the multi-layer key management infrastruc- 
ture, including the creation of keys, distribution 
of replacement keys and the deletion of keys 
that have been compromised. The custodian 
should be appointed by the Compliance Re- 
view Committee. Access to central key man- 
agement functions should require a separate 
and optional strong authentication and man- 



agement of encryption keys should be logged 
in an evidence-quality audit system. Keys 
stored in the Hardware Security Module are 
protected from physical attacks and cannot be 
compromised even by stealing the Hardware 
Security Module itself. Any attempt to tamper 
with or probe the Hardware Security Module 
will result in the immediate destruction of all 
private key data, making it virtually impossible 
for either external or internal hackers to ac- 
cess this vital information. 

Encryption of the application data should be 
performed by an Enforcement Agent that 
should be implemented as a Dedicated En- 
cryption Service (Please see my articles in 
(IN)SECURE issue 8 - insecuremag.com and 
tinyurl.com/23bhz7) that is separated from the 
administration of the data that it protects. This 
service may run in different environments in- 
cluding in a separate process, a separate 
server or in a Hardware Security Module de- 
pending on the security class of the data and 
the operational requirements for performance 
and availability. 



When securing the sensitive data within your organization 

trust is not a policy. 



Key domains for protection and easier 
management 

A mature data encryption solution should sup- 
port the concept of key domains which can 
isolate different systems for security reasons 
or operational needs. Each key domain may 
have different security exposures and can 
have a different policy for how keys should be 
managed including key generation, key rota- 
tion and protection of key material. It should 
support transparent re-encryption of the data 
when it flows between systems that are using 
different encryption keys or different algo- 
rithms. 

The Key Management System must support 
multiple levels of keys to ensure that the en- 
cryption keys that protect secret and confiden- 
tial data cannot be compromised. This en- 
ables the use of different encryption keys for 
different columns, tables and files. When set- 
ting policy, it is important to configure the use 



of different encryption keys and initialization 
vectors across different columns, tables and 
files to maintain compartmentalization and a 
diverse front against attack. The Keys should 
be stored in an Enforcement Agent that sup- 
ports dual control (requiring more than a sin- 
gle administrator/operator) for key recovery. It 
may be implemented in hardware or software, 
but it must support both the encryption and 
integrity of the key backup format. 

Annual review of algorithms and key 
lengths 

The Key Management System must support 
key length or strength of 128-bits or greater 
for symmetric keys. Such keys are deemed 
"strong encryption" and are not susceptible to 
a brute force attack using current technology. 
Public or asymmetric keys must be of equiva- 
lent strength. That is, a 128-bit symmetric key 
and 3072-bit public key are considered to be 
equivalent in terms of strength, while a 



www.insecuremag.com 



61 



15,360-bit public key is equivalent to a 256-bit 
symmetric key. The data encryption should be 
performed with strong standard algorithms in- 
cluding 3DES, AES 128 or AES 256. Data re- 
quiring protection for longer periods of time 
should use the longer key lengths. Note that 
adequate CPU power today may not be 
enough tomorrow as you incorporate more 
secure communications. It is wise to establish 
a key-length policy early and review it annu- 
ally. 

Secure generation and distribution of keys 

The Key Management System must generate 
a unique key for each file, tape, or other data 
element that needs to be encrypted. Private 
keys must be generated within the secure 
confines of the Key Management System and 
never be transferred outside the Key Man- 
agement System unless encrypted with a Key 
Encryption Key. All keys should be centrally 
generated in software or hardware based on 
the security class for the type of data they pro- 
tect. 



evident and compliant with FIPS PUB 140-2 
Level 3 Security Requirements for Crypto- 
graphic Modules, and keys are randomly gen- 
erated in compliance with ANS X9.24 Section 
7.4. 

Key validation, access control and logging 

Key validation is performed by integrity check- 
ing the security metadata that is kept in ci- 
phered text (even in memory). Key access 
control is performed by role-based authoriza- 
tion of users, allowing for specific authorized 
actions by user (select/insert/update/delete). 
Users can be authenticated by any accepted 
means of the native database. 

Any encrypt/decrypt operation requested by 
the user is verified against the policy by the 
Enforcement Agent after authorization and 
authentication checks have been completed 
by the database. Under the control of the 
authenticated Security Administrator, the sys- 
tem should generate a Master Key used to 
encrypt all operational keys. 



The key management system must be able to 
electronically transfer private keys to other 
trusted key repositories throughout the enter- 
prise. This may also be implemented via 
Smart Cards. The security policy should de- 
fine where different keys should be stored and 
cached. The master keys are used to encrypt 
all operational keys that should be stored in 
cipher text in separated databases. 

Security metadata and operational encryption 
keys should be kept in cipher text (even when 
stored in memory) until needed for use by 
crypto-services routines. All communication 
both external and internal is encrypted. All 
Data Protection System services should be 
using X.509 certificates and SSL for secure 
distribution of encryption keys. Unique keys 
should be generated for each Enforcement 
Agent, and should be used when sending in- 
formation between system components. 

The data encryption method should be based 
on different encryption keys for different col- 
umns, tables, files and directories. An optimal 
design for Hardware Security Module support 
can be based on an optimal combination of 
hardware and software keys. The supported 
Hardware Security Module should be tamper 



Security data remains ciphered until needed 
for use by crypto-services routines. The mas- 
ter keys and data encryption keys should be 
secured, and their integrity checked. All com- 
munication, external and internal, should be 
encrypted. The system may use public key 
cryptography to exchange the symmetric en- 
cryption keys. The Key Management System 
must support tracking of; when keys are cre- 
ated and deleted; who created and deleted 
them; who used what keys; and what was 
done with the key. 

Key protection and aging 

Encryption keys should be protected and en- 
crypted when stored in memory or databases, 
and during transport between systems and 
system processes. The use of a combination 
of software cryptography and specialized 
cryptographic chipsets, called a Hardware Se- 
curity Module, can provide a selective added 
level of protection, and help to balance secu- 
rity, cost, and performance needs. 

Certain fields in a database require a stronger 
level of encryption, and a higher level of pro- 
tection for associated encryption keys. 
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Encryption keys and security metadata should 
continuously be encrypted and integrity vali- 
dated - even when communicated between 
processes, stored or cached in memory. Se- 
curity data should remain ciphered until 
needed for use by crypto-services routines. 

Key Rotation, or more accurately Key Aging, 
is best security practices and required in some 
governmental regulations and industry initia- 
tives. More sensitive data and data more ex- 
posed systems should be re-encrypted with 



fresh encryption keys more frequently than the 
rest of the data. A well designed automated 
key rotation solution can provide zero down- 
time by attaching key labels to each record or 
data field in the operation databases and file 
systems. The Automated key rotation process 
can run in background and utilize spare cycles 
on each available processor on your data 
servers. The background processing can be 
assigned a priority level that will complete the 
key rotation according to the policy that is de- 
fined. 



Encryption keys and security metadata should continuously 
be encrypted and integrity validated. 



Secure key storage 

To maintain a high level of security the end- 
point server platform should provide the 
choice to only temporarily cache encrypted 
lower level data encryption keys. Key encryp- 
tion keys should always be stored encrypted 
on separated platforms. A central server with a 
hardened standard computing platform to 
store the keys can provide a cost effective so- 
lution. Keys should be kept in an encrypted 
format in memory (cached) until they are to be 
used. 

Data encryption keys should be stored in en- 
crypted format in a separate data server along 
with other policy information, optionally on the 
Security Administration System repository or 
on the local database where the Enforcement 
Agent is installed, depending on the opera- 
tional requirements and security level of the 
data that is protected. All keys except the 
Master Key should be stored (encrypted) un- 
der the Key Encryption Keys. The Master Key 
should also be protected while in transient 
storage or be kept inside the Hardware Secu- 
rity Module storage, depending on the opera- 
tional requirements and security level of the 
data that is protected by the keys. 

Effective protection of memory cached 
keys 

Memory attacks may be theoretical, but cryp- 
tographic keys, unlike most other data in a 
computer memory, are random. Looking 



through memory structures for random data is 
very likely to reveal key material. Well made 
libraries for use as Native Encryption Services 
go to great efforts to protect keys even in 
memory. Key-encryption keys are used to en- 
crypt the key while it is in memory and then 
the encrypted key is split into several parts 
and spread throughout the memory space. 
Decoy structures may be created to mimic 
valid key material. Memory holding the key is 
quickly zeroed as soon as the cryptographic 
operation is finished. These techniques re- 
duce the risk of memory attacks. 

Separate encryption keys should be used for 
different data. These encryption keys can be 
automatically rotated based on the sensitivity 
of the protected data. A Dedicated Encryption 
Systems can provide separation between 
processes or servers dedicated to encryption 
operations but they are also vulnerable to 
memory attacks. However, a well made Dedi- 
cated Encryption System runs only the mini- 
mal number of services. Since web servers, 
application servers, and databases have no 
place on a dedicated cryptographic engine, 
these common attack points are not a threat. 
This severely constrained attack surface 
makes it much more difficult to gain the ac- 
cess needed to launch a memory attack. The 
security classification of the protected data will 
help in deciding a topology that will give the 
right balance between security, performance 
and scalability for each type of environment 
within an organization. 
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Key backup and recovery 

A weak link in the security of many networks is 
the backup process. Often, private keys and 
certificates are archived unprotected along 
with configuration data from the backend 
servers. The backup key file may be stored in 
clear text or protected only by an administra- 
tive password. This password is often chosen 
poorly and/or shared between operators. To 
take advantage of this weak protection 
mechanism, hackers can simply launch a dic- 
tionary attack (a series of educated guesses 
based on dictionary words) to obtain private 
keys. 

To maintain a high level of security and sepa- 
ration the application data backup files should 
be separated from the backup of encrypted 
lower level data encryption keys. After keys 
are created, they must be archived to a se- 
cure storage environment where they can be 
kept for long periods of time. Master keys 
should be backed up separately. During instal- 
lation, the master key should be generated 
and stored on removable media for recovery 
purposes. 

Maintaining this media in escrow and/or at 
your disaster recovery site is best practice. 
Backup of keys on the Security Administration 
System should be performed on a regular ba- 
sis, usually before and after major policy 
changes are realized. 

Backup of the encrypted data encryption keys 
should be automated and performed at the 
same time as business data backup, using 
standard database backup and restore proce- 
dures. Even if policies or keys have changed, 
or if the Security Administration System is un- 
available, any Enforcement Agent and its pro- 
tected database may be restored successfully 
as long as access to the Master Key is pro- 
vided via proper user authentication. The Key 



Management System must be able to survive 
multiple hardware and site failures and still be 
able to retrieve the archived keys to unlock 
encrypted data. The Key Management Sys- 
tem must support creation and management 
of "split keys," so that the ability to decrypt 
data requires cooperation of multiple persons, 
each knowing only their part of the key, to re- 
construct the whole key. 

Conclusion 

We have reviewed crucial guidelines and best 
practices for a Key Management System for 
data encryption based on the approach of a 
central point of control for key management 
and distributed encryption and policy en- 
forcement across applications, databases and 
file systems. 

The solution provides great flexibility by com- 
bining the benefits from hardware and soft- 
ware based encryption and key management. 
This approach addresses the requirements for 
central security control while providing the 
flexibility to allow security professionals to 
deploy encryption at the appropriate place in 
their infrastructure. It provides the needed 
balance between advanced security, availabil- 
ity, and performance for the combined solu- 
tion. 

The concept of separate key domains across 
a data flow can isolate different systems from 
a risk perspective and it can also accommo- 
date for differences in the operational re- 
quirements. Best practices dictate that we 
must protect sensitive data at the point of cap- 
ture, as it's transferred also over internal net- 
works and when it is at rest. 

A mature solution for encryption and key 
management can provide this higher level of 
protection of information. 



Ulf T. Mattsson is the CTO of Protegrity. Ulf created the initial architecture of Protegrity's database security 
technology, for which the company owns several key patents. His extensive IT and security industry experi- 
ence includes 20 years with IBM as a manager of software development and a consulting resource to IBM's 
Research and Development organization, in the areas of IT Architecture and IT Security. Ulf holds a degree in 
electrical engineering from Polhem University, a degree in Finance from University of Stockholm and a mas- 
ter's degree in physics from Chalmers University of Technology. 

For more of his work download earlier issues of (IN)SECURE Magazine. 
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Handheld USB devices have been a godsend to anyone who wants to take in- 
formation from one PC to another, but their ease of use also has created a 
new type of security headache for companies. 



The recent explosion in sales of devices such as USB sticks, iPods and PDAs 
mean they are a common sight in most offices. 



Where's the harm in an iPod, you might ask. 
Surely the most offensive thing about an iPod 
is the often dodgy choice of music coming 
from it? When you consider that these tiny 
portable media devices can just as easily be 
used to remove confidential customer files, 
there is a clear menace behind the shiny 
chrome exterior. 

So what steps should businesses take to pro- 
tect themselves against the risks associated 
with such devices? 



trying to break into the corporate network, but 
employees and partners with easy access to 
business information. 

With removable media devices such as MP3 
players, digital cameras, and PDAs common- 
place in companies, uncontrolled use of them 
carries a number of risks, from the simple nui- 
sance factor of the network being used to 
store personal files and the risks associated 
with software theft, to the consequences of a 
deliberate attack on the network. 



Keep your enemies close. Keep your 
workforce closer. 

The biggest threat to the integrity of a com- 
pany's IT security is not some sinister hacker 



The storage device is also a simple way for 
malware to propagate within your network; a 
user can unwittingly infect the network with a 
virus that has been transferred from his home 
PC by such a device. 
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The right security strategy 

It's a worrying fact that around 80% of IT se- 
curity incidents occur inside an organization, 
and yet an estimated 80% of security spend 
still goes outside on perimeter defenses such 
as firewalls, anti-virus, intrusions detection 
and content filtering. 

Businesses need a formalized control mecha- 
nism in place in order to protect critical busi- 
ness systems and databases for data and IP 
theft. 

If you decide to outlaw USB devices, good 
luck. This is a difficult proposition, and there's 
no foolproof method. Windows 2003 will block 
USB port access, but critically, will also stop 
USB keyboards, mice and other legitimate 
USB devices being used - a move that will not 
be popular with employees. Simply disabling 
USB ports is therefore not the answer, as it 



inevitably has an adverse effect on business 
productivity and flexibility 

Striking the right balance 

It's important to have an Acceptable Usage 
Policy (AUP) in place, so that employees are 
aware of what they may and may not use in 
the workplace. However, relying on AUPs 
alone is insufficient - organizations need to 
back up any policy with robust enforcement 
capabilities. 

A wholesale ban on portable media devices is 
not the answer. Certain employees across an 
organization will have a perfectly legitimate 
need to use removable media, be it a USB 
stick to transfer data or a PDA to synchronize 
diaries. 

Not all employees will need such access, so a 
flexible solution is needed for permissible us- 
age and blocking unauthorized connections. 



David Beesley is managing director of IT security consultancy Network Defence (www.networkdefence.com), 
which he co-founded in 1996. David has been involved in the IT industry since 1985, responsible for the de- 
sign and delivery of a number of large LANs and WANs over the past 15 years. David is recognized as a lead- 
ing IT security expert in the UK and has over 12 years technical experience designing and implementing IT 
security solutions. 
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Stephen Northcutt on Security Certification and the SANS Top 20 

http://www.net-security.org/article. php?id=1 007 

Stephen Northcutt, the CEO of the SANS Institute, provides us with an overview of SANS activi- 
ties, the Internet Storm Center, the SANS Top 20 and the evolution of the IT security market in 
terms of the growing need for certification. This is a video that anyone wanting to get certified will 
be interested in. 

Anomaly-Based Unsupervised Intrusion Detection 

http://www.net-security.org/article. php?id=1 01 3 

Stefano Zanero talks about anomaly-based unsupervised intrusion detection. In this video he pro- 
vides an overview of his research into the subject by illustrating how he worked trying to find ways 
to detect intruders without relying on signatures. 

Data Seepage: How to Give Attackers a Roadmap to Your Network 

http://www.net-security.org/article. php?id=1 01 5 

In this video, Robert Graham and David Maynor, the CEO and CTO of Errata Security, talk about 
how the days of widespread internet attacks are long gone. What's more popular now are more 
directed or targeted attacks using a variety of different methods. This is where data seepage 
comes in. Unbeknownst to a lot of mobile professional's laptops, PDAs, even cell phones can be 
literally bleeding information about a company's internal network. 

The Exploit Development Process 

http://www.net-security.org/article. php?id=1 020 

Alexander Sotirov is a Vulnerability Researcher at Determina Inc. In this video, made at Black Hat 
Europe, he discusses on a general note how exploit writers develop exploits. 
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Cyberspace is an information feeding frenzy. Stay off the menu. 
Black Hat USA brings together the most knowledgable and respected figures 
in information and computer security to help you keep your edge. 

Six days. Thirty Classes. Ninety presentations. 
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On a regular basis, Cisco Press releases a number of books that are of a 
great help for both Cisco practitioners, as well as those learning for one of 
the certifications that this networking leader offers. Over the past couple of 
years I had access to a vast collection of their titles and while the quality is 
almost always astounding, there was a clear need for this kind of a "video 
mentor". Reading through extremely technical topics, understanding dia- 
grams, snooping through the command line interface commands was never 
this easy. 



The author Kevin Wallace, CCIE No. 7945, is 
a full-time instructor of Cisco courses. With 17 
years of Cisco internet-working experience, 
Kevin holds a bachelor of science degree in 
electrical engineering from the University of 
Kentucky. 

The CCNP Video Mentor helps CCNP candi- 
dates prepare to pass the series of CCNP ex- 
ams by supplying 16 instructional videos. 
Each video presents a unique lab scenario, 
with both visual references and audio expla- 
nations of what you should expect to happen 
in a particular lab. 

The videos also show how details of the 
command-line interface commands are used 
to implement the features described in each 
lab video, along with running commentary. 
The result is a set of videos that explain some 



of the most important CCNP topics from the 
BSCI, BCMSN, ISCW, and ONT courses, with 
thorough explanations from a trusted mentor. 

As you can see from the images accompany- 
ing this preview, the packaging includes a 
DVD-ROM with the video course bundled to- 
gether with a booklet covering all the labs con- 
tained in the video presentations. 

The DVD-ROM sports a spartan but easy to 
use interface that starts of the video course 
with a personal introduction by the author. Af- 
ter this short video, you can chose one of the 
CCNP labs including "Building Scalable Cisco 
Internetworks", Building Cisco Multilayer 
Switched Networks", "Implementing Secure 
Converged Wide Area Networks" and "Opti- 
mizing Converged Cisco Networks". 
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All of the separate labs are also personally 
introduced by the author and afterwards split 
on four specific chapters. While all of the vid- 
eos combine the author's audio with product 
screenshots, usage videos, diagrams and 



code, you can also complement your experi- 
ence by viewing the accompanying PDF files 
to further understand the topology diagrams 
and the code. 
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The Cisco Press people really made this video 
mentor available for multiple platforms, as the 
DVD-ROM root contains auto start applica- 
tions for both Microsoft Windows and Apple 



Mac OS X. There is also a HTML+Flash ver- 
sion of the whole class, which targets addi- 
tional operating systems. 
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CCNP Labs 

1. Building Scalable Cisco 
Internetworks fBSCI) Labs 

2. Building Cisco Multilayer Switched 
Networks (BCMSN) Labs 

3. Implementing Secure Converged 
Wide Area Networks (ISCW) Labs 

4. Optimizing Converged Cisco 
Networks (ONT) Labs 

Registration 

Register at ciscopress.com 



clscoprsss.com 

Copyright ©2007 Cisco Systems. Inc. 




Press the ► button on the video player 
above to view a short introductory video. 
Select one of the four CCNP links on the left 
to view the labs for that exam. 



Edf view CCNP Introduction PDF 



Kevin Wallace, CCIE No. 7945 



Overall, "CCNP Video Mentor" will definitely videos contain quite a lot of in-depth content 

present itself as the next big step for Cisco provided in an easy to follow way. 

Press. The 
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All the videos takes the same basic approach: 

1. The video begins with a description of its 
goals. 

2. The lab scenario steps are listed, giving an 
outline of what you should expect to see and 
hear during the video. 



3. The network topology used in the video is 
detailed. 

4. Then, for each scenario step: 

a. The video shows what you should ex- 
pect from each part of the lab exercise. 

b. The video shows the CLI details of 
how to configure and verify that the routers 
and switches are working properly. 
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Network Access Control 

Nuveen Shorma 




According to Aberdeen Group's "Endpoint Security Strategies Part-1" 
benchmark report published in November 2006 "Only 22% of the respon- 
dents agree that they had visibility for the end point compliance to the secu- 
rity policy, 80% had no idea of the end point compliance". These findings 
make the situation look pretty dire, and urgent action is demanded of those 
belonging to 80% in the unprotected category. The new technology on the 
block is Network Access Control or simply NAC (Cisco's NAC offering is 
called Network Admission Control). NAC can help in determining the end 
point security compliance status and providing for the remediation of these 
end points which fail compliance checks. 



The three cardinal questions for security 
compliance, which every network administra- 
tor and owner endeavor to answer are: 

1 . How do I stop unauthorized users and end- 
points from accessing resources on my net- 
work, whether through wired or wireless 
means? 

2. How do I validate the user's and endpoint's 
health status? For example: assess the level 
of operating system patches installed, the 
status of the anti-virus application and its cur- 
rency, and other malware detection engines 
and definitions. 



3. How do I remediate the endpoints and us- 
ers if they fail the above, and present a lay- 
ered "defense in depth" with security tech- 
nologies in a cooperative environment? 

Often these questions remain unanswered, 
and the results are visible in the news and re- 
ports, as evident from analysis by Aberdeen 
Group. NAC or the end point security solution 
can provide the answer to all the above ques- 
tions - and more - if designed and configured 
properly. This article will provide a clear over- 
view of the Network Access Control or End 
point security technologies. I'll present the 
NAC architecture with the details of major 
components and their functionality, along with 
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considerations in implementation in real pro- 
duction environments. You'll get a clear view 
of the present day NAC techniques in the wild 
from major vendors, which will assist them in 
arriving at an optimal NAC based solution for 
their own environment. 

Vendors have promoted NAC solutions lever- 
aging their own product offerings. For exam- 
ple Cisco's NAC uses the Cisco PIX firewall, 
ASA Appliances, Routers and Switches to 
perform NAC functions. On the other hand 
Microsoft, being the dominant provider of op- 
erating systems, has offered NAC (by the 
name of NAP, or Network Access Protection) 
built on the product line offerings such as 
Windows server, Windows XP and recently 
Microsoft Vista. 

I'll use the terms NAC and endpoint security 
interchangeably for your ease. 



NAC solutions provide the following: 

1 . Determines the Security posture of clients. 

2. Grants access to various parts of the net- 
work, depending upon the outcome of first 
step. 

3. Remediate compliance failures, and dis- 
tributes policy to endpoints. 

For example, if a policy says to deny access 
to endpoints whose patch level is older than 
30 days, then NAC will restrict the access of 
those clients which are non compliant for this 
policy, and optionally a remediation process 
will be invoked to make that client compliant 
by downloading and installing required 
patches. 

The three keywords in the NAC process are: 
Identify, Assess and Remediate. 
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a 



DHCP 
Server 




NAC Architecture ] 



The figure above shows a high level NAC ar- 
chitecture where the end users access enter- 
prise resources by wireless, VPN and LAN. 
We have the option of enforcing the policies at 
the firewall, or at other access device such as 
a Layer2/3 switch or DHCP server. 

The fundamental components of a NAC solu- 
tion are: 



1. Endpoints 

2. Enforcement points 

3. Policy and remediation services 

The vendor offerings may comprise of a com- 
bination of the above components of NAC. 
Understanding of these components will allow 
the reader to differentiate vendor offering from 
one another in a pragmatic manner. 
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Endpoints 

First, there must be a mechanism to deter- 
mine the security posture of the endpoint ma- 
chine before taking any decision for identity 
and access management. The endpoint as- 
sessment technologies currently available in- 
clude: 

1 . Agent-less: Nothing is downloaded or in- 
stalled on the endpoint host. 

2. Agent: An application is pre-installed or 
downloaded at the first connection. 

3. ActiveX or browser plug-in: This is down- 
loaded to the endpoint when connection is at- 
tempted. 

4. Scanner: performs an IP based vulnerability 
scan to determine the installed patches, serv- 
ices etc on the endpoint. 

The agent-less approach uses an end point's 
administrative account to connect (via Win- 
dows RPC) to central user management sys- 
tems for all the end points. The administrative 
overhead is considerable, adding to the cost 
of this approach. In the agent base approach 
an agent application is pre-installed or NAC 
prompts for the installation of agent at the first 
logon of the user to the network. Agents not 
only assist in determining the posture of the 
endpoint, but can also do access control and 
reporting to the NAC server on the end user 
machine, with the built-in firewall. One of the 
disadvantages of the agent-based approach 
is that it works on the assumption that the 
agent will be pre-installed or will be installed 
at the first attempt of access to the network, 
which can be potential source of risk. 

In the scanning method the NAC scans the 
end machine and, based on the scan result, 
the posture is determined for the next step of 
identity and access to network resources. This 
approach may or may not test the endpoint's 
patch levels, anti-virus definition files status, 
or file/registry value. Another issue is that of 
the time required to scan an endpoint, which 
may be exacerbated at peak endpoint activity 
due to simultaneous endpoint scans. With the 
ActiveX or browser plug-in technology, the 
plug-in is downloaded on the end point for 
posture determination and to report the com- 
pliance status of the end point. The advan- 
tages of this are comparatively less memory 
and CPU overhead. 



Enforcement points 

Enforcement is the pivotal element of the 
whole NAC architecture, as all the access de- 
cisions are implemented here. NAC offerings 
from vendors tend to favor their own product 
lines: for example some traditional network 
companies implement access control on their 
layer2/3 switch (which may be a difficulty for 
users who have different brand switches). 

Here are the possible enforcement options 
currently available in the market: 

1 . Inline: includes firewalls, layer 2/3 switches 
and purpose built appliances 

2. 802.1 X: IEEE standard for port based ac- 
cess control 

3. DHCP: IP assignment restrictions 

Inline based enforcement options include 
firewalls, layer2/3 switches or purpose built 
dedicated inline appliances. Some NAC solu- 
tions offer support for other vendors firewalls 
and switches for enforcement, which is wel- 
come news for users who have a multi-vendor 
networking infrastructure. 

Some considerations for inline devices are: 

1. Bandwidth requirements: must support the 
traffic and provide future scalability, or else 
the inline device will become the choke point. 

2. High availability: Some sort of redundancy 
is expected, in case the primary inline device 
fails (and the time associated with fail over). 

3. The degree of separation provided between 
the endpoints and the business critical sys- 
tems inside the network. 

4. Reporting from the enforcement device: for 
both compliant and non complaint endpoints. 

802.1 X or port based network access control 
is a protocol based on Extensible Access Pro- 
tocol (EAP), an IEEE standard. New genera- 
tion layer 2/3 switches offer the possibility of 
segregating specific IP's onto a separate 
VLAN, and imposing various access control 
lists on VLAN traffic. 802. 1X has three major 
components: the Supplicant, which is the per- 
son or endpoint attempting access, the 
Authenticator, which is the device that the 
Supplicant is attempting to connect to, and 
the Authentication server, which holds creden- 
tials. 
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The process of gaining access is: 

• The end user machine connects to the 
Authenticate, which can be a WLAN access 
point or a LAN switch. 

• The Authenticator sets the port to 'unauthor- 
ized', which will only permit 802. 1X traffic, and 
requests authentication data from the end- 
point. The endpoint returns it's authentication 
data to the Authenticator. 

• The Authenticator knows the Authentication 
server, and forward to the request to authenti- 
cation server (typically a RADIUS server). The 
radius server returns a pass/fail. 

• Once the authentication is successful, the 
Authenticator opens the port for the supplicant 
to join the network. 

DHCP based access restriction works on the 
premise that the endpoint user will play by the 
rules of the game. Purely DHCP based re- 
striction may not prove to be effective as it is 
possible to bypass. DHCP assigns quaran- 
tined or unknown end points to an IP address 
that is restricted by ACL's on switches/routers. 

Some of the considerations for the DHCP 
method of enforcement are: 

1 . Is this secure enough for the environment? 
Requires a risk analysis. 

2. Is the existing environment's architecture 
suitable for this enforcement? Possibilities 
here include placing a NAC server inline with 
DHCP. 

3. Does it require a significant additional out- 
lay for the equipment? 

Policy and remediation service 

Policy and remediation services are the last 
part of NAC picture, though the endpoint as- 
sessment is done against the policy set by 
administrator at the very start of NAC proc- 
ess. Once the assessment is carried out on 
the endpoint, and matched against the policy 
for compliance, the decision to restrict or al- 
low the endpoint is taken. If the endpoint is 
restricted due to a failure to comply with one 
or more policies, the endpoint is quarantined. 

The next logical step is to seek to remediate 
the endpoint. The task of a remediation serv- 



ice is to make the endpoint compliant to the 
policy, thus restoring the access to join the 
network for services in a healthy state. 

The remediation process may be single or 
consist of multiple steps. For example, if an 
endpoint does not have current anti-virus 
definition and lacks critical Microsoft patches, 
then the remediation process directs the end- 
point to the current anti-virus definition and 
required Microsoft patches. 

The endpoint security posture should also be 
regularly re-tested, so as to remain proactive. 
The results of this continuous monitoring of 
the endpoint posture and status of compliance 
must be reported promptly. Another point to 
consider here is the execution and delivery of 
policy, either to the endpoint or enforcement 
point. The frequency and protocol for delivery 
are equally important in this whole NAC 
framework. Needless to say the policy has to 
be regularly backed-up, and the facility to re- 
store from backed-up policies should be regu- 
larly tested. 

Some considerations for the remediation and 
policy service are: 

1 . Placement and capacity of remediation 
servers, for example the patch distribution 
mechanism, etc. 

2. Will remediation be self-service, or will be 
performed by help desk? 

3. How does the remediation server obtain the 
third-party details such as the anti-virus and 
other malware definition currency, MS patches 
levels, and more. 

4. What mechanism is in place for communi- 
cation between the remediation servers and 
the policy server? 

Conclusion 

NAC is a rapidly evolving field and holds im- 
mense promise for the future of endpoint se- 
curity. NAC can deliver lower costs and tools 
for the compliance checking and managing 
the security posture of endpoints. More ma- 
ture NAC products can be expected in the fu- 
ture with the entry of innovative players into 
the market. 
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